Parametric Roles for Windows Security

In short, a Parametric Role is a role that will be able to use additional user account information from your AD to create dynamic Roles settings. E.g. if the AD accounts contain Department information, this information can be picked during user login and used, for instance, for Forced criteria settings in the Parametric Role.

mceclip1.png

If you use any of the Test login with... buttons, you will get information about the current user or a user with a specific username (requires password).

mceclip6.png

userClaims: Contains basic information about the logged in account, what groups this account is member of and some security identifiers.

userClaimsAD: Contains AD information about the logged in account - e.g., name, email address, department, last login etc.

An example of a modified default script, picking up the SamAccountName from the AD and trying to use that as the name of a Startup Document for this user. Run the script to see the Outputs on the right hand side:

mceclip3.png

When clicking the Lookup User Permissions button, you will see the effect of the Parametric Role (Embedded role #1) - in this case trying to use a document called 'jan_k' as your Startup Document.

mceclip5.png

Note: In the script, use 'roles:' to add parametric roles to existing roles. Use 'replace_roles:' to replace existing roles with the parametric role(s).

 

For further documentation on Parametric Roles and how too use them, please see these articles:

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.