Enterprises usually design their OU-based network structure on geographical or departmental boundaries, restricting the ability to delegate administration outside these boundaries. However, they can face situations that require objects to be grouped together in ways that differ to the OU structure.
Active Directory offers a comprehensive delegation model. However, since the scope of delegation is defined using Organizational Units, distributed administration in Active Directory is constrained by the OU structure.
In Active Directory, without changing the directory structure, it is impossible to re-group objects so that the new “groups” support inheritance for their members when delegating control or enforcing policy. As a solution to this inflexible, OU-based structure, Active Roles provides the facility to configure administrative views that meet any directory management needs. The administrative views (Managed Units) allow distributed administration to be independent of the OU hierarchy.
Thus, Active Roles provides Managed Units (MUs)—securable, flexible, rules-based administrative views. MUs represent dynamic virtual collections of objects of different types. MUs may include any directory objects, regardless of their location in the network. This allows objects to be grouped into administrative views that are independent of the OU-based structure.
Managed Units allow organizations to implement OU structures on a geographical basis, but distribute administration on a functional basis. For example, all users in a particular department, regardless of their location in different OUs, could be grouped into a single Managed Unit for the purposes of delegating access control and enforcing administrative policy. The members of that Managed Unit would remain in their geographically defined OUs, leaving the OU structure unaffected.
Managed Units make it possible to organize an enterprise in any particular way, without changing the underlying domain and OU structure. Managed Units can include directory objects from different domains, trees and forests, as well as from other Managed Units. In addition, different Managed Units can have common members. These features of Managed Units create an environment that is both secure and easy to manage.
Membership rules determine whether an object is a member of a certain MU. For example, you might specify a membership rule that states: all users from OU A whose full names start with B belong to this MU. The membership rule is then implemented as a query that searches OU A for users with full names starting with B. Active Roles stores the query as a part of the MU properties, and executes it whenever a list of MU members is created or refreshed.
Active Roles allows permission and policy settings to be specified at the level of Managed Units. Inheritance of permission and policy settings from the Managed Unit level works seamlessly across the Active Directory environment.
As the environment changes, the memberships of objects held in Managed Units also change automatically to adapt to the new environment, therefore object permission and policy settings change as well. Managed Units dynamically adapt to changes in the enterprise, simplifying the maintenance of permission and policy settings on directory objects.
Each Managed Unit provides a convenient scope for delegated administration. Delegated administrators no longer have to browse the hierarchy of OUs to search for managed objects. With Active Roles, administrative control of each MU can be delegated to specific individuals and groups, just as control of OUs can be delegated. Using Managed Units, all objects managed by a delegated administrator are located in one place.
The Active Roles console provides the New Object – Managed Unit wizard to create Managed Units. You can start the wizard from the Managed Units container, located under Configuration in the console tree: right-click Managed Units in the console tree, and select New | Managed Unit.
If you need to manage a large number of Managed Units, it is advisable to create containers that hold only specified Managed Units for easy location: in the console tree, right-click Managed Units and select New | Managed Unit Container. Then, you can use the wizard to create a Managed Unit in that container: right-click the container and select New | Managed Unit.
NOTE: Only users with administrative access to the Administration Service (members of the Active Roles Admin account) are permitted to create Managed Units. For more information about the Active Roles Admin account, refer to the Active Roles Quick Start Guide.
The first page of the wizard looks as shown in the following figure.
Figure 6: Managed unit - Name and Description
On this page, type in the name and description for the Managed Unit. The Active Roles console will display the name and description in the list of Managed Units in the details pane.
Click Next. The second page of the wizard looks as shown in the following figure.
Figure 7: Managed unit - include objects
This page lets you specify which objects you want to be included in the Managed Unit.
Membership of a Managed Unit is determined by membership rules. Members of a Managed Unit are those objects that match criteria defined in the membership rules. A list of members is dynamically updateable: When you create a new object that satisfies the criteria in the membership rule, the object is included into the MU automatically. When an object no longer matches the criteria specified in the membership rule (for example, when the object is renamed or moved), it is automatically removed from the membership list.
A membership rule may take a form of search query, object static inclusion and exclusion rule, and group member’s inclusion and exclusion rule.
To specify a membership rule, click Add. This displays the Membership Rule Type dialog box, shown in the following figure.
Figure 8: Managed Unit - membership rule type
In this dialog box, select a type of membership rule. In the lower box, you can read a description that explains which membership rules can be created using the selected type.
The Include Explicitly rule type allows you to select objects to be statically added to the Managed Unit. If you select a container, such as an OU, the entire sub-tree rooted in that container is included in the Managed Unit. Active Roles ensures that the selected objects are included in the Managed Unit regardless of whether they are renamed, moved to another container, or have any properties changed.
The Exclude Explicitly rule type allows you to select objects to be statically excluded from the Managed Unit. Active Roles ensures that the selected objects are excluded from the membership list regardless of whether they are renamed, moved, or have any properties changed. Because the Exclude Explicitly rule takes precedence over all other types of rule, the selected objects will be excluded from the Managed Unit even if another rule states that they should be included. Note that this rule type can be used to exclude only those objects that match one of the inclusion rules.
The Include Group Members rule type allows you to select the groups which members you want to include in the Managed Unit. Active Roles dynamically populates the membership list with the objects that belong to the selected groups. When an object is added or removed from the selected groups, Active Roles adds or removes that object from the membership list of the Managed Unit.
The Exclude Group Members rule type allows you to select groups whose members will be excluded from the Managed Unit. Active Roles ensures that the members of the selected groups are removed from the membership list of the Managed Unit. When an object is added to any one of the selected groups, Active Roles automatically removes that object from the membership list. Note that this rule type can be used to exclude only those objects that match one of the inclusion rules.
The Include by Query rule type allows you to define criteria the objects must match to be included in the Managed Unit. Active Roles dynamically populates the membership list with the objects that have certain properties. When an object is created, or when its properties are changed, Active Roles adds or removes it from the membership list depending on whether the objects’ properties match the defined criteria.
The Exclude by Query rule type allows you to define criteria the objects must match to be excluded from the Managed Unit. Active Roles ensures that the objects with certain properties are excluded from the membership list. Active Roles automatically removes objects from the membership list depending on whether the objects’ properties match the defined criteria. Note that this rule type can be used to exclude only those objects that match one of the inclusion rules.
The Retain Deprovisioned rule is intended to adjust the behavior of Managed Units towards deprovisioned objects, such as deprovisioned users or groups. Once an object is deprovisioned, the default behavior is to automatically remove that object from all Managed Units it was a member of. If there is a need to keep deprovisioned objects in certain Managed Units, you can satisfy this requirement by adding the Retain Deprovisioned rule to those Managed Units. This rule causes the Managed Unit to include both the regular and deprovisioned objects that meet the membership rules for that Managed Unit. Without this rule, the Managed Unit does not include any deprovisioned objects.
Note that the rules that exclude objects from a Managed Unit have an effect on only those objects that match one of the inclusion rules for that Managed Unit. For example, if a container object is explicitly included in a Managed Unit, all objects held in that container are also included in the Managed Unit and cannot be excluded by applying exclusion rules. An exclusion rule can only be used to exclude the entire container from the Managed Unit since the container is the only object that matches an inclusion rule. The objects that are held in the container do not match any inclusion rule, and therefore are not affected by exclusion rules.
In the Membership Rule Type dialog box, select a rule type, and click OK.
If you have selected the Include Explicitly or Exclude Explicitly rule type, the Select Objects dialog box is displayed. Select the objects you want to include or exclude from the Managed Unit, click Add, and then click OK.
If you have selected the Include Group Members or Exclude Group Members rule type, the Select Objects dialog box is displayed. The list of objects in that dialog box consists of groups. Select groups, click Add, and then click OK. All members of the selected groups will be included or excluded from the Managed Unit.
If you have selected the Include by Query or Exclude by Query rule type, the Create Membership Rule dialog box, similar to the Find dialog box, is displayed. In that dialog box, define the criteria that objects must match to be included or excluded from the Managed Unit.
After you have added one membership rule, you can add further membership rules for the same Managed Unit.
If you add several membership rules to the Managed Unit and some of them conflict with each other, then the conflict is resolved by a rule that defines the following order of precedence:
- Exclude Explicitly
- Include Explicitly
- Exclude by Query
- Exclude Group Members
- Include by Query
- Include Group Members
According to this, for example, the Exclude Explicitly rule takes precedence over all other types of rule. Therefore, the selected objects will be excluded from the Managed Unit even if another rule states that they should be included (for example, the objects that match the criteria defined in the Include by Query membership rule, or belong to a group selected in the Include Group Members rule).
NOTE: An exclusion rule type can be used to exclude only those objects that match one of the inclusion rules. For example, if a given Organizational Unit is included in a Managed Unit by an inclusion rule, all child objects held in the Organizational Unit are also included in that Managed Unit. However, only the entire Organizational Unit rather than its individual child objects can be excluded from the Managed Unit.
Once you have added membership rules, click Next. This displays a page shown in the figure that follows.
Figure 9: Managed unit - Permission and Policy settings
You can use this page to specify the permission and policy settings for the Managed Unit. When finished, click Next, and then click Finish. For information about permission settings, see Applying Access Templates later in this document. For information about policy settings, see Applying Policy Objects later in this document.