Overriding Organization Relationships
System actions are provided that override organization relationships, giving the caller access to all organizations, regardless the organization relationships that have been set up. These system actions are typically given to administrative users.
The system actions that override organization relationships are:
- organizationAdmin -
This system action, which is only applicable to
OrgModelService operations, can be used to override organization relationships in the following ways:
- Users who posses this system action can see all containers, organizations, and resources, regardless of the organization relationships that are defined (you also need the DE.browseModel and DE.LDAPAdmin system actions to view LDAP containers).
- Users who possess this system action can be mapped to any organization, regardless of the organization relationships that are defined.
Note that to call any operation in the OrgModelService, the user must also possess the browseModel system action — holders of the organizationAdmin system action get additional access (if there are organization relationships defined).
- LDAPAdmin - This system action, which is required for many service operations, may also give the caller access to all organizations, regardless the organization relationships set up, depending on the operation.
When calling the DirectoryService operations listed below, the caller must possess either the resourceAdmin or LDAPAdmin system action. If the caller has only the resourceAdmin system action, the organizations he can see are restricted by organization relationships. If he also has (or has only) the LDAPAdmin system action, he can see all organizations, regardless the organization relationships set up when using the following operations:
You can determine if a user has a specific system action by using the listAuthorisedOrgs operation.