This would not work for my use case, because I need one admin user allowed to administer to users from Org A and another one allowed to administer to users from Org B.
Some of the users form Org A, but not all of them, needs to get the permissions from perm group B, which are administered by admin user B (resp. admin role B), but the decision which users are these is not in the hand of admin B. He should not see users, that don't need permissions from perm group B. It would be easy, if fortress would allow to set Org B as additional Org Unit to these users. Using ReviewMgr.findUsers(OrgUnitB) I could get these users. More cumbersome is to get the roles from role range from admin role B and then get the users by ReviewMgr.assignedUsers(roleX(endrange)) I would use a general role in role range of admin role B to assign to users, which should be found from admin B to be administered. It's possible but it is a more complicated way for this use case. Is it ARBAC or is it Fortress what don't allow more than one Org Unit per user? Olaf Jentsch -----Original Message----- From: Shawn McKinney [mailto:[email protected]] Sent: Friday, September 11, 2015 3:40 AM To: [email protected] Subject: Re: User membership in different OrgUnit's > > On Sep 10, 2015, at 6:30 AM, Olaf Jentsch <[email protected]> wrote: > > I would like to seperate different administrative tasks for different > permissions but to show the same user for different administrative roles. > > A user u has RoleA in order to get permissions in perm group PA. > I create an admin role AdminA, which can assign RoleA to users in Org > Unit OUA in order to get permissions from perm group A, so happened for user > u when AdminA assigned RoleA to him. > > There is a new application with his own permissions organized in perm group B > an assigned to RoleB. > I would like to create a similar admin role AdminB, which can assign RoleB to > users in OUB in order to get permissions from perm group B. > > But now the user u in OUA needs the permissions from perm group B. AdminB > cannot assign RoleB to him, because user u is in OUA and not in OUB. > And I don't want AdminB watching all users in OUA, he only should see users > from OUB. > > Fortress should allow the assignment of several OU's for this use case or is > something wrong in my structure? You could achieve nearly the same thing by structuring the ous hierarchically. For example you could have a structure like this: User Org A: parent X User Org B: parent X Then you could add a new admin role that has X as the user ou assignment. Assignees of this role would be allowed to administer to users from both Org A and Org B. Would that work? Shawn
