Skip to main content

Example: Either/or rules for user class memberships

This configuration example demonstrates the use case where a company wants to provide permissions to reset user passwords without requiring authentication to users in the IT-HELPDESK-MANAGERS and HR-MANAGERS Active Directory groups. A user from EITHER of these Active Directory groups will be granted this permission. Therefore, a user group must be configured with the required privilege and allow membership from ANY assigned user classes.

The built-in HELP_DESK_MANAGER user group already has the required privileges to bypass authentication to reset user passwords. To assign user classes to the user group, we must add the IT-HELPDESK-MANAGERS and HR-MANAGERS AD groups to separate user classes.

This use case assumes an Active Directory target called AD has been configured and has both the IT-HELPDESK-MANAGERS and HR-MANAGERS groups managed.

Add IT-HELPDESK-MANAGERS AD group to the built-in _HELP_DESK_MANAGERS_ user class

  1. As superuser, navigate to Manage the system > Policies > User classes .

  2. Select the _HELP_DESK_MANAGERS_ user class.

    We need to add membership criteria to this user class.

  3. Click the Criteria tab.

  4. In the group memberships table, click Add new. . . .

  5. In the Target system field, enter AD .

  6. Click the search icon 3332.png next to the Group: field.

  7. Search for and select 2101.png the IT-HELPDESK-MANAGERS group.

  8. Click Add.

  9. Click the Test tab and click List to see the users that are now members of the _HELP_DESK_MANAGERS_ user class.

  10. Return to the General tab and next to the option for Membership cache valid click Recalculate.

    You may need to click the Recalculate button twice and refresh the window before it says the cache is valid.

Users have been successfully added as members to the _HELP_DESK_MANAGERS_ user class.

Add HR-MANAGERS AD group to a created HR-MANAGERS user class

Now we need to define and add a user class for the HR-MANAGERS active directory group.

  1. As superuser, navigate to Manage the system > Policies > User classes .

  2. Click Add new. . . since we know the HR-MANAGERS user class doesn't exist.

  3. Enter the following:

    ID HR_MANAGERS

    Description HR department managers

    Leave Types of policies where this user class is permitted to be used as the default value.

  4. Click Add.

    This takes you to the Participants tab.

  5. Click Add new. . . to define participants of the user class.

  6. Enter the following:

    ID USERID

    Description User ID

  7. Click Add.

    This takes you to the Criteria tab.

  8. In the group memberships table, click Add new. . . .

  9. In the Target system field, enter AD .

  10. Click the search icon 3332.png next to the Group: field.

  11. Search for and select 2101.png the HR-MANAGERS group.

  12. Click Add.

  13. Click the Test tab and click List to see the users that are now members of the HR_MANAGERS user class.

  14. Return to the General tab and next to the option for Membership cache valid click Recalculate .

    You may need to click the Recalculate button twice and refresh the window before it says the cache is valid.

Users have been successfully added as members to the HR_MANAGERS user class.

Assign both user classes to the HELP_DESK_MANAGER user group

  1. As superuser, navigate to Manage the system > Security > Access to user profiles > Global help desk rules.

  2. Select 2101.png the HELP_DESK_MANAGER user access rule.

    The privileges are already set by default to allow help desk managers to see a user’s security questions for help desk question set and bypass them without requiring authentication. This is set by the view and bypass security questions privileges.

  3. Click the Membership criteria tab.

  4. Ensure the _HELP_DESK_MANAGERS_ user class is already a member by default configuration.

  5. To add the HR-MANAGERS user class as a member, click Add new. . . .

  6. From the list of user classes, search for and select HR-MANAGERS .

  7. Click Add.

  8. Click the radio button for Any of the user classes on the Membership criteria tab.

  9. Click Update.

    Now in order to be a member of the HELP_DESK_MANAGER user group, a user can be a member of either the _HELP_DESK_MANAGERS_ or HR_MANAGERS user class or both of them.

  10. Click the General tab and click Recalculate for Membership cache valid.

Through this configuration, permission to reset user passwords without requiring authentication has now been given to users in the IT-HELPDESK-MANAGERS and HR-MANAGERS Active Directory groups.

In this section: