2

Is it possible to define all users in Active Directory so they are also hierarchically related between each other?

In other words: Is it possible to define managers from top of my firm and all the way to the bottom users that don't manage anyone...

Possble? How?

Additional info

I'm building an application where users will be able to manage other user's data. So root of user tree is the admin, that can manage all other users (because all of them are in the subtree). But other users will only be able to manage their own subtree of users... That's why I need to define managers somehow. If I won't do it in the AD I will have to define managers in my application referencing certain AD user accounts and having that data in my data store which seems a bit cumborsume. But I may select whatever tree DB structure I want. Probably one that is very fast with reading subtree nodes, because this operation will be by far the most frequent. If I can't read all nodes at once from AD it would work slower anyway. But managing this structure will be pain in th a@@...

Robert Koritnik
  • 912
  • 5
  • 19
  • 34
  • 1
    As you get to higher levels of management, the managers aren't going to be the ones doing the updating -- they'll delegate it to their executive assistant (ie, secretary), but the secretary won't be considered someone's superior in the tree. You're likely going to need a more complex structure, such as using department objects as intermediary relationships that I described below. – Joe H. Jun 29 '10 at 16:08
  • Again Joe H is right on the money. What about users who report to more than one manager - how do you handle cross tree management? Your point about managing the structure being difficult also applies to do doing it in the Active Directory, who will manage the relationships? What is the source of truth for the structure relationships, the HR System? Basically it sounds like you are building an Identity Management system subset and facing all the problems associated with that. – Sim Jun 30 '10 at 01:55

2 Answers2

1

Have a look at the Managed By attribute. One limitation of using it is that it doesn't cater for multiple manager relationships.

The other thing to consider is what do you want to use the hierarchy for? If for workflow routing be careful as you might find that the hierarchy you choose doesn't actually reflect the workflow rules of the business process, especially the higher up you go in the organistion.

Sim
  • 1,858
  • 2
  • 17
  • 17
1

Yes, it's possible, but unless you're a rather small shop, it's a bear to maintain. How often do supervisors/managers get hired/fired/replaced/promoted, etc? For larger companies, you might have a few a day, which means you'll be constantly updating the hierarchy and changing dozens or hundreds of relationships.

You also get times when someone's been fired or quit, and a replacement hasn't yet been assigned/hired/whatever, so you could have a break in your tree.

The way I've done it in the past, for a large university, we tracked departments as entities, with a hierarchy and then associated people with the departments. (some people were associated with more than one department, due to research institutes, student groups, etc.) Each department had a head of that department listed and a secondary editor (secretary, typically), who could make changes to their membership.

Ours was designed for use as part of the account creation process (a new faculty or staff account had to be vouched for by a department; new departments had to be vouched for by their higher level department, etc.) It's possible you might design something differently depending on what your actual needs are for doing this.

Joe H.
  • 1,897
  • 12
  • 12
  • 1
    Great points Joe H. @Robert be very clear on why you want to do this and what you want to achieve. The quick and easy path to identity management is never quick nor easy. A single hierarchical structure doesn't map well across all workflows or processes. Reality and its associated complexity has a nasty habit of getting in the way of nice clean structures. – Sim Jun 29 '10 at 13:57
  • @Sim, @Jow H.: Check my **additional info**. – Robert Koritnik Jun 29 '10 at 15:21