Access Control - groups within groups

  • I'm trying to set up access control.

    I have a Staff user - TomBaker
    He is a Maths teacher in SchoolA

    His AD account membership looks like:

    SchoolA_Teachers_Maths is a member of a group SchoolA_Teachers
    SchoolA_Teachers is a member of AllSchools_Teachers

    I check the box "Enable usage of Domain groups".
    I add SchoolA_Teachers and/or AllSchools_Teachers to the "Restrict access to members of specific user groups" section.
    I click Apply
    When I run the "test", and put in TomBaker, the account shows it does not have access.

    If I add SchoolA_Teachers_Maths, then it passes.
    So Veyon doesn't appear to understand nested groups.

    I also tried creating a local group on the PC called VeyonUsers, and adding SchoolA_Teachers to that.
    Still didn't pass.

    I thought I could tackle it with "deny" instead, but the pupil accounts are the same nested approach.
    PupilAccount1 - member of SchoolA2020, which is a member of SchoolAPupils

    Is there a way around this?

    If it helps, any..

    Our AD structure is:

    User Accounts

    There will be cases where staff from SchoolA are using PCs in SchoolB.
    So I can't just use a config where SchoolA PCs look at SchoolA\Staff

  • Hi Gerard,

    unfortunately nested groups are currently not supported. This means you'll have to add allow rules for the individual teacher groups.

    Best regards

  • Hi..

    I think I'll get round it by using a script to modify the permissions on the Private keyfile on PCs with Master installed.

    In my testing, I've put a PupilAccounts = "Deny read".
    This lets me run the Master as a Teacher, but not as a pupil - which is what I need.

  • Sounds like a perfect solution!