Idea Portal
Add a new idea Subscribe
Status Planned
Categories Functionality
Created by Jörn Lamb
Created on Nov 15, 2022

RELATED IDEAS

Nested Organizational Groups

At the moment, the organizational groups in the cubeDesigner can only contain users, roles and units, but no other groups. It would be very helpful if we could also add groups to other groups.

Example: In our company, 90% of our organizational groups are maintained in ActiveDirectory / SAP-IDM and syncronized to Doxis via OrgaTransmitter. Furthermore, most of our Doxis applications are being used in many countries. Therefore, we create individual AD-groups for each country so that the IT-departments in each country can assign users that should be using the corresponding application. However, all localized groups provide access to the same Doxis application, so we have to manually assign all necessary access rights in cubeDesinger for all the groups. This is especially annoying if an additional country should be allowed to use an existing application. Since a new groups must be created, all Doxis rights must be assinged for this new group all over again.

It would be much easier if we could create one Doxis group that contains all the necessary access rights and then just add the groups from ActiveDirectory as nested group.

  • Attach files
  • Jörn Lamb
    Reply
    |     Jan 19, 2023

    @ Ingo Gerken: We are already using both the matching rule and the memberEvaluationFilter you mentioned in our OrgaTransmitter, but this does not solve the problem. We still have many groups in our cubeDesigner that are synchronized from AD that all have the same access rights. From our point of view, the only solution would be to enable doxis groups to contain other groups as described above.

  • Admin
    Ingo Gerken
    Reply
    |     Dec 19, 2022

    Nested groups are currently not supported in Doxis. But users and memberships of nested AD groups can be synchronized to Doxis users and groups by using rules/filters in OrgaTransmitter.

    If the purpose is the filtering of users that should be synchronized then it is possible to use a matching rule: <user ... filter="(memberOf:1.2.840.113556.1.4.1941:=CN=Doxis...)">.

    If the purpose is to synchronize the main groups and put there the users which are indirect members of these groups, it is possible to use memberEvaluationFilter in group element, ie. <group ... memberEvaluationFilter="...">

  • Guest
    Reply
    |     Nov 17, 2022

    Thats exactly what I am looking for. We grant permissons to document classes etc. to a Doxis group what is synced from AD. If I want to grant those permission e.g to a whole department I want to add the AD group of the specific department instead of adding every user on his own.