2

Is it possible to get group hierarchy in AD? It's for managing permissions to a web app from there.

I need to do this:

  • Users
    • Product
      • Admin
        • Task
          • Subtask1
          • Subtask2
          • Subtask3
        • Task 2

So if you are member of Admin you get reference to Task and Task 2 and its children. I think that AD doesn't come with an RBAC hierarchy but I want to be sure.

jscott
  • 24,204
  • 8
  • 77
  • 99
JorgeeFG
  • 945
  • 8
  • 13
  • I think you're asking if Active Directory supports nested groups; It does. Is there something specific you're trying to do? – jscott Apr 08 '13 at 12:45
  • Hi, yes, I need to be member of Task and with a Query, know its childs. If I am member of Task, I should be member of Subtasks1,2,3. Thanks – JorgeeFG Apr 08 '13 at 12:47
  • 1
    Yes, in that configuration, you would be a member (but not a direct member) of all the subtask groups. It's up to the application talking to AD to do its group lookups using recursion (or not). – jscott Apr 08 '13 at 12:49
  • Could you give me a link, an example or something to lead me in the right direction? Thanks – JorgeeFG Apr 08 '13 at 12:51
  • Here's an example of getting nested groups - http://serverfault.com/questions/429981/view-parents-of-many-nested-sub-groups-in-active-directory/429990#429990 - If you need a specific example, just edit your question and I'll try to help. – jscott Apr 08 '13 at 12:51
  • Is it only available for C# ? I need to it on PHP – JorgeeFG Apr 08 '13 at 13:51
  • If you're using LDAP filter syntax to query the groups, it should be the same regardless of the language. For PHP specific examples, you may want to search on StackOverflow. – jscott Apr 08 '13 at 14:22

1 Answers1

2

Assuming your app supports recursive lookups, or if youre doing this with simple filesystem permissions, yes, that is possible.

What you need to do is to make each parent a member of its direct children. For example, Admin would be a member of Task and Task 2, Task would be a member of Subtask1, Subtask2, and Subtask3. You would then add users to a single group and they would have all the privilege of the subgroups.

Jason Litka
  • 148
  • 1
  • 3