Set Up Granular Access With Gopher for Users

To restrict which OUs your users have access to with Gopher for Users, the Admin Roles for Gopher for Users must be split into Global and Granular categories. This is because you cannot restrict some scopes that Gopher for Users uses within the Admin console to a per-OU delegation.

Global Scopes

The only Global scopes that Gopher for Users requires are the Admin API Privileges for Reading/Updating Groups and Schema management. If you wish to restrict Administrators from updating group memberships, you can set these permissions to Read-only.

You can assign these privileges (for a newly created role or to modify an existing role) in the Admin Roles area of the Admin console. 

  1. In the Admin console, navigate to Account > Admin roles.
  2. Select an existing role or create a new role.
  3. Go to Privileges or Select privileges depending on whether you are working with an existing or new role.
  4. The Privileges page has 2 sections; Admin console privileges and Admin API privileges. Scroll down to the Admin API privileges section.
    GopherforUsersAdminPrivileges.png
  5. Scroll to or search for Groups.
    • Check the Read and Update checkboxes nested under Groups.
  6. Scroll to or search for Schema Management.
    • Check the Schema Management checkbox. 
      DomainAPIG4Users.png
  7. Click Save.

Granular Scopes

You can configure the remainder of the scopes on a Granular, per OU level. Of these, the required privileges are Read access to Users and OUs. All other settings can be configured to the level you wish to allow your users within this role, for the particular OU. For example, you can set up an Admin Role that only provides access to the Reset Password and Force Password Change features of Gopher for Users.

Note: Gopher for Users does not detect the level of Admin Access granularly and shows all columns to the end-user. Any edits in columns an Admin does not have access to will cause the entire update for that user to fail.

To grant granular access, you'll need to create two roles: one that grants access to the specific OU assigned to the user and another that gives global access to permissions that can not be scoped for Groups and Schema.

DomainAPIG4PerOU1.png

DomainAPIG4Users.png

 

Document Version Date Description of Change
1.0 8/15/2024 Updated text, replaced screenshots, reverify

 

Articles in this section