Sharepoint - One user account with two different roles (and permissions in Sharepoint)

Jussi Lehti 601 Reputation points
2021-08-26T11:07:38.927+00:00

Our client has a need to get rid of multiple AD Accounts of users who work for two different organizations (e.g. 50-50).

Currently those users login to the computer with the account of the organization they are working on currently and are granted access to those Sharepoint sites that has that same organizations' AD Groups permitted to those sites.

So they asked if it would be possible for those users to have only one AD Account and then create a new LDAP environment to give those AD accounts two different roles. And those roles would have different AD groups mapped to them.
And the most important question: Could we leverage those roles when the user authenticates to Sharepoint so that depending on the role the user chooses, he would only get permissions in Sharepoint to those sites which has thos AD groups that belong to the role that he has chosen.

This is a bit hard to explain and to try to get even started, but any comment would be appreciated.

Currenty they are using Sharepoint 2016 with SAML authentication via ADFS.

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,248 questions
SharePoint Server Management
SharePoint Server Management
SharePoint Server: A family of Microsoft on-premises document management and storage systems.Management: The act or process of organizing, handling, directing or controlling something.
2,839 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Jussi Lehti 601 Reputation points
    2021-08-26T12:24:52.157+00:00

    To add more spice to the situation, SSO to Sharepoint should be working too (as it is working now) so probably the role selection should be made in some custom LDAP tool after the user has signed in to Windows.

    Again, I'm not expecting answers since this seems quite complex.

    0 comments No comments

  2. JoyZ 18,046 Reputation points
    2021-08-27T06:23:02.397+00:00

    @Jussi Lehti ,

    Per my knowledge, the short answer is NO, when we use SAML authentication via ADFS, it's necessary to define the claim that will be used as the unique identifier of the user.

    Simply put, a user should have his own unique identifier rather than two roles pointing to one user.


    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. sadomovalex 3,626 Reputation points
    2021-08-30T14:53:39.943+00:00

    are domains of these organizations located in the same forest? Is yes it is possible (with limitations: Can users in one domain be assigned to Groups in another domain if both domains are in the same Forest) add users from domain A (organization 1) to AD groups in domain B (organization 2). In this case (in theory) the same user account may access Sharepoint sites which are granted for AD groups from domain A (organization 1) and sites granted for AD groups from domain B (organization 2). It should tested of course.

    0 comments No comments