To restrict which OUs your users have access to with Gopher for Users, the Admin Roles for Gopher for Users will need to be split into two categories; Global and Granular. This is because some scopes which User Gopher makes use of cannot be restricted within the Admin console to a per OU delegation.
The only Global scopes which Gopher for Users requires are the Admin API Privileges for Reading/Updating Groups and Schema management. If you wish to restrict Administrators from updating group memberships, these permissions can be set to Read-only.
The remainder of the scopes can be configured on a Granular, per OU level. Of these, the required privileges are Read access to Users and OUs. All other settings can be configured to the level you wish to allow your users within this role, for the particular OU. For example, you can set up an Admin Role that only allows access to the Reset Password and Force Password Change features of Gopher for Users.
Note: Currently, Gopher for Users does not detect the level of Admin Access granularly, and shows all columns to the end-user. Any edits in columns an Admin does not have access to will cause the entire update for that user to fail.
For you to grant granular access, you'll need to create two roles. One that grants access to the specific OU assigned to the user and another that gives global access to permissions that can not be scoped for Groups and Schema.
|Description of Change