Notifications
Clear all
Topic starter
I'm wondering if anyone has written a script to copy one users' permissions and assign them to a new user. I know that ideally we would set the group permissions and assign users to different Active Directory OU's but in many cases we might have something like a Nurses OU, and a new user is setup with that OU in AD, then that user logs into CPS and gets those assigned permissions, but then, for any number of reasons unknown to IT,we'll get a request saying please give this user these additional permissions and remove these permissions. Then, when that person is replaced, they hire someone to replace that individual with those specific additions/subtractions (outside the norm of the others in the same AD OU) and they'll want us to add/subtract permissions as needed. I hope that makes sense because the question is this: Do you know of an easier way to accomplish this then to compare two user accounts side-by-side?
Posted : February 18, 2020 12:04 pm
We probably have about 100 AD security groups just for CPS. Some groups have very specific privileges granted. Some groups exist for signing a particular document type for example.
Over time, we have learned that security group privileges become very granular, but it is still easier and more manageable than managing security in CPS itself.
As soon as we have a request for a second identical one-off privilege assignment, it becomes a security group. The process usually begins with a one-off request for a specific privilege or set of privileges. Usually we'll assign that one-off in CPS.
When we look at CPS privileges and see it has already been assigned to a user once, we stop to assess whether this privilege needs assigned to an existing security group, or if we need to create a new security group to manage this/these privileges. If we decide on a new SG, we create a security group for it, remove the original specific user privilege assignment, assign the security group to the permission, and add the original user plus the new user to the security group.
-dp
Posted : February 19, 2020 2:27 am
Topic starter
Thank you for your response. I like your approach but I work for an MSP and most of our clients have pre-existing setups, or we are only backup IT and their in-house IT makes the decisions on AD setup and such so we are forced to do it this way. We'll get a request to setup a new user and to copy permissions of an existing user in AD and CPS, but their CPS security was changed (their role may have changed or such) and the existing permissions are not what they started with. Sometimes, an onsite administrator will change permissions without telling us. That's why I'm hoping for a script that would copy the one users CPS permissions as they are and assign them to another user. I know the script to see a users current CPS permissions, I just don't know how to hold those values and assign them to a different user (already created in AD and CPS).
Posted : February 19, 2020 4:53 am
How many users do you have to be managing 100 AD SGs? Just curious
I like the approach and tried to follow that method a while back but eventually made some exceptions. We use CPS security now but I don't know if that will burn us at some point. I think I remember seeing them say we were going to have to use integrated AD security, likely because of the Azure aspect but not sure if that has changed or not. We were in the middle of the transition when that word came down.
Mike Zavolas
Tallahassee Neurological Clinic
Posted : February 28, 2020 7:21 am
I can't check right now, but we're in the neighborhood of around 300 user accounts I believe. While the CPS AD authentication and account tracking implementation is rather poor from an administrative standpoint, it does end up scaling better than the native CPS account management IMHO.
-dp
Posted : February 28, 2020 8:37 am
