How Access Templates work
Active Roles implements delegated administration by linking Access Templates to collections of objects (Managed Units), directory folders (containers), or individual (leaf) objects.
When applied to a directory object, an Access Template specifies permission settings for that object and its child objects. Applying Access Templates to Managed Units is a convenient way to manage permissions on collections of directory objects.
Each Access Template is applied in relation to some users and/or groups (Trustees), and the permissions specified in the Access Template determine their access to managed objects. When an Access Template is modified or no longer applied, permissions set for the directory objects are modified accordingly.
When permissions on a Managed Unit change, Active Roles recalculates the permission settings on all the Managed Unit members. Likewise, the permission information is modified whenever the list of objects in a Managed Unit changes. When objects join or leave a Managed Unit (due to object property changes, for example), all permission settings on those objects are recalculated.
Every object inherits its permission settings from the Managed Units in which it resides. For example, if a Trustee has permissions to access multiple Managed Units that hold a given object, the permissions of the Trustee to access that object are simply defined as a union of all permissions specified at the Managed Unit level.
Applying Access Templates to a container object (directory folder) establishes the access of the Trustee to both the container and its child objects. The Trustee, having permissions specified over a container, possesses inherited permissions for the child objects residing in the container.
Applying permissions with Access Template
You can assign permissions to Active Directory (AD) objects with Access Templates (ATs) in the Active RolesConsole.
Delegating permissions with ATs is an effective method to grant specific types of access for specific users or groups to specific organizational resources. For example, directory administrators of a domain can receive full control for managing that domain, while helpdesk operators can quickly receive permission to reset passwords for domain users.
Active Roles supports specifying ATs to all AD object types: administrative views (Managed Units), directory folders (containers), or individual (leaf) objects as well. When applying an AT to an AD object, you:
-
Designate a trustee (also known as security principal) who will receive the permissions granted by the AT. Trustees are typically users or groups.
-
Assign permissions to that trustee for the AD object in the scope of the AT. Such AD objects are called securable objects.
As a result, the trustee receives access to the securable object according to the permissions defined in the AT.
For the steps of applying Access Templates to directory objects, see Applying Access Templates in the Active Roles Administration Guide.
Add Permission Entries wizard
The Add Permission Entries Wizard lets you specify the permission to be added into the Access Template. The first page of the wizard looks as shown in the following figure.
Figure 4: Add Permission Entries
On this page, you select the types of objects to which you want the permission to allow (or deny) access. You can select one of these options:
-
All object classes: With this option, the permission controls access to objects of any type.
-
Only the following classes: With this option, the permission controls access to objects of the type you choose by selecting the appropriate check boxes in the list.
NOTE: By default, all object classes are not displayed in the list. To display all object classes, select the Show all possible classes check box.
After you have selected the object classes you want, click Next. The next page of the wizard looks as shown in the following figure.
Figure 5: Permission category
On this page, you select a permission category, and specify whether you want the permission to allow or deny certain administrative actions.
You can select one of the following permission categories:
-
Full Control access: Allows or denies all administrative actions on an object.
-
Object access: Controls how an object is accessed and controlled.
-
Object property access: Controls access to an object’s attributes.
-
Creation/Deletion of child objects: Allows or denies creation or deletion of objects in a container.
If you want the permission to deny certain administrative actions, select the Deny permission check box.
The following sections elaborate on the permission categories you can select in the Add Permission Entries Wizard.
Full Control access
Permissions in this category grant access to all object (and object property) administrative operations for the classes selected in the previous step of the Add Permission Entries Wizard.
After you select Full Control access and click Finish, the permission is added to the newly-created Access Template.