Access Control - groups within groups

gerardsweeney

I'm trying to set up access control.

I have a Staff user - TomBaker
He is a Maths teacher in SchoolA

His AD account membership looks like:
SchoolA_Teachers_Maths

SchoolA_Teachers_Maths is a member of a group SchoolA_Teachers
SchoolA_Teachers is a member of AllSchools_Teachers

I check the box "Enable usage of Domain groups".
I add SchoolA_Teachers and/or AllSchools_Teachers to the "Restrict access to members of specific user groups" section.
I click Apply
When I run the "test", and put in TomBaker, the account shows it does not have access.

If I add SchoolA_Teachers_Maths, then it passes.
So Veyon doesn't appear to understand nested groups.

I also tried creating a local group on the PC called VeyonUsers, and adding SchoolA_Teachers to that.
Still didn't pass.

I thought I could tackle it with "deny" instead, but the pupil accounts are the same nested approach.
PupilAccount1 - member of SchoolA2020, which is a member of SchoolAPupils

Is there a way around this?

If it helps, any..

Our AD structure is:

User Accounts
SchoolA\Staff
SchoolB\Pupils
SchoolB\Staff
SchoolB\Staff

There will be cases where staff from SchoolA are using PCs in SchoolB.
So I can't just use a config where SchoolA PCs look at SchoolA\Staff

tobydox

Hi Gerard,

unfortunately nested groups are currently not supported. This means you'll have to add allow rules for the individual teacher groups.

Best regards
Tobias

gerardsweeney

Hi..

I think I'll get round it by using a script to modify the permissions on the Private keyfile on PCs with Master installed.

In my testing, I've put a PupilAccounts = "Deny read".
This lets me run the Master as a Teacher, but not as a pupil - which is what I need.

tobydox

Sounds like a perfect solution!