Security officer access rights and Active Directory import

You need to make sure you have the appropriate access rights when importing the organizational structure. The following information tells you about the access rights requirements.

  • If you add an Active Directory connection to a domain that already exists, the following applies:
    • If you have Full access rights for the domain (DNS), the directory connection credentials are updated.
    • If you have Read only rights or less for the domain (DNS), the credentials are not updated, but you can use existing credentials for synchronization purposes.
  • For Active Directory import and synchronization, the access rights to a container or a domain are projected to the domain tree you import or synchronize. If you do not have Full access rights for a sub-tree, it cannot be synchronized. If a sub-tree cannot be modified, it is not shown in the synchronization tree.
  • Regardless of your security officer access rights for directory objects, you can import a new domain from the Active Directory, if it does not exist in the SafeGuard Enterprise Database yet. You and your superior security officers will be granted Full access rights to the new domain automatically.
  • If you select a sub-container for synchronization, synchronization has to be done all the way up to the root. In the synchronization tree, all relevant containers are selected automatically, even if there are any containers above the sub-container that are Read only or Denied according to your access rights. If you deselect a sub-container, you also may have to deselect containers up to the root, depending on your access rights.
    If a group with Read only or Denied access is included in a synchronization process, the following happens:
    • The group's memberships are not updated.
    • If the group was deleted in the Active Directory, it will not be deleted from the SafeGuard Enterprise Database.
    • If the group was moved in the Active Directory however, it will be moved within the SafeGuard Enterprise structure. This includes moving the group to a container that you do not have Full access rights for.

    If a container with Read only or Denied access is included in the synchronization because it is on the way up to the root and the container contains a group with Full access, this group will be synchronized. Groups with Read only or Denied access will not.