Role Owners
A DSMC user becomes a role owner if you assign a role to him/her within a specific range of action. Thus he/she can perform any task that this role encompasses for objects in the respective range of action.
Role definitions are global, while role ownerships are local.
In other words: Owners of a specific role can always perform the same tasks everywhere. However, a specific user can be the owner of a specific role in one range of action but not in another range of action.
To assign roles, you can use the following objects of the organization tree:
- user
- external user groups (e.g. from the Active Directory, AD)
Assigning Roles to Groups
If a role is assigned to a (static or dynamic) group (i.e. the group is the target of the role assignment), all members of this group, not the actual group, will be provided with a specific role. This means that the assignment affects the individual members of the group and not the group itself.
Changing the memberships of users in static or dynamic groups later does not have any effect!
There is one exception to the rule: Groups imported from a directory service
A role may be assigned directly to an imported external group (e.g. an AD group). Role ownership is not linked to the individual users but directly to the external group and is synchronized continuously.
If group members are removed from the group, they lose their role automatically. If new members are added to the group (e.g. via the AD), they automatically get the new role.
When restarting the DSMC, the system checks the changes to group memberships in external groups. The system also checks the AD group memberships of the user who started the DSMC. If you import AD groups as external groups into the organization tree at the same time, the user will also become a member of the external group. A user that has not been created in DSM yet, is automatically created if the user is a member of an external group for which there are role assignments available in DSM.
If a user's membership in an external group changes, the user whose rights have been changed must restart the DSMC.
The membership in external groups is based on locally cached AD information and is determined when the DSMC starts. To ensure current AD information, we recommend that the respective user logs off, then logs on again and then restarts the DSMC.
Example: Organization Containers, Ranges of Action and Role Ownership for Groups
This figure shows the correlation between the different ranges of action and the organization containers for groups:
- Groups are not organization containers
The "Nested Dynamic User Group" is not an organization container in the organization tree but only a "filter". The range of action of the parent OU defines the potential members of the group.
The "VisibleUser" is within the OU's range of actions. It can therefore be a member of the "Nested Dynamic User Group" if the LDAP filter has been configured accordingly. The user's "visibility" for the "Nested Dynamic User Group" does not end with the parent "Dynamic User Group".
The "Invisible User", however, is a member of the domain and resides outside of the OU's range of action in the organization tree. This user cannot become a member of the dynamic group. - Groups are ranges of action
In the example, the "Nested Dynamic User Group" is a range of action for a role owner. The administrator may grant a role owner the right to execute the tasks of his role only with this group (and possibly the child groups). - Role assignment to a group
The administrator may also assign role ownership to a group itself (i.e. to all of the users combined in this group). This grants rights to the members of the "Nested Dynamic User Group", for example, to execute tasks in a range of action. With static and dynamic groups, role assignment is a unique process, a unique process, a "snapshot". Changes to the group membership do not affect the group membership do not affect the role ownership of individual users. T his is different for external groups (e.g. from the Active Directory).