locked
Disabling implied permissions RRS feed

  • Question

  • Has anyone disabled the implied permissions as outlined in this technet blog article?  Would creating a new role based off of Advanced Operators for end users take care of all the things to watch out for?

    http://blogs.technet.com/b/servicemanager/archive/2014/03/19/improving-ad-connector-performance.aspx

    • Edited by Misha Rudiy Wednesday, July 16, 2014 10:00 PM
    Tuesday, July 8, 2014 10:17 PM

All replies

  • the major thing to watch out for would be the fact that your plan would allow all users to open the console and edit all work items; are you sure you want to permit that?

    those implied permissions are intended to insure that someone who owns a CI or reported a work item should be able to update it. are you sure you want to prevent that?

    the unstated premise of that blog post is that the AD connector is causing performance problems. are you having performance problems related to the AD connector? why are you considering doing this?

    Wednesday, July 9, 2014 1:04 PM
  • For the new end user role, I plan on creating a new role based on the Advanced Operator role.  I will not enable any views or tasks for this role.  The only way they would be able to make changes is via powershell.  This is an acceptable risk for my company since it would also allow us to link configuration items such as knowledge base articles to workitem templates for the portal.  We have experienced performance issues with the AD connector  from day one.  Newer updates keep improving the performance, but I would like to try the suggested solution and an interested in feedback from other people who have applied this fix.  Has any one else applied it?
    • Edited by Misha Rudiy Wednesday, July 16, 2014 9:59 PM
    Friday, July 11, 2014 10:59 PM