Synchronizing Access Template permissions to Active Directory
Permissions defined in an Access Template can be propagated to Active Directory, with all changes made to them in Active Roles being automatically synchronized to Active Directory.
By enabling synchronization from Active Roles security to Active Directory native security, Active Roles provides the facility to specify Active Directory security settings with Access Templates. Access Templates simplify and enhance the management of permissions in Active Directory, enable the logical grouping of permissions, and providing an efficient mechanism for setting and maintaining access control.
For each permission entry defined in Active Roles and configured with the Permissions Propagation option set, Active Roles generates native Active Directory permission entries based on the Active Roles permission entry.
The Permissions Propagation option (also referred to as Sync to Native Security or Sync to AD in the user interface) ensures that every time Active Roles permissions change, the associated native permission entries change accordingly.
Disabling the Permissions Propagation option on existing Active Roles permissions, or deleting Active Roles permissions with this option set, deletes all native permission entries specified through those Active Roles permissions.
If a propagated permission entry is deleted or modified in Active Directory, whether intentionally or by mistake, Active Roles restores that entry based on Access Template information, thus ensuring the correct permission settings in Active Directory. The Sync of Permissions to Active Directory scheduled task is used in Active Roles to create or update permission entries in Active Directory based on the Access Template links that have the Permissions Propagation option enabled.
Managing Active Directory permission entries
The Native Security tab in the advanced details pane lists the native Active Directory permission entries for the securable object (for example, an Organizational Unit) selected in the Console tree.
By analyzing information in the Type and Source columns on the Native Security tab, you can determine whether a given entry is synchronized from Active Roles.
In the Type column, the synchronized entries are marked with the icon. This icon changes to if synchronization of the entry is invalid or unfinished. For example, if you delete a synchronized entry from Active Directory, Active Roles detects the deletion and re-creates the entry. Until the entry is re-created, the Type column marks the entry with the icon.
For each synchronized entry, the Source column displays the name of the Access Template that defines the permissions synchronized to that entry.
From the Native Security tab, you can manage permission entries: right-click an entry, and click Edit Native Security. This displays the Permissions dialog where you can add, remove and modify Active Directory permission entries for the securable object you selected.
Adding, modifying, or removing permissions to Access Templates
When you add, remove, or modify permissions in an Access Template, permission settings automatically change on all objects to which the Access Template is applied (linked), including those that are affected by the Access Template because of inheritance.
Figure 6: Access Template - Manage permissions
The Permissions tab in the Properties dialog lists permission entries defined in the Access Template. Each entry in the list includes the following information:
-
Type: Specifies whether the permission allows or denies access.
-
Permission: Name of the permission.
-
Apply To: Type of objects that are subject to the permission.
Figure 7: Access Template - Modify permissions
You can use the tabs in that dialog to modify the permission as needed. The tabs are similar to the pages in the Add Permission Entries Wizard, discussed in Add Permission Entries wizard.
For the steps of how to add, remove or delete permissions from an Access Template, see Adding, modifying, or removing Access Template permissions in the Active Roles Administration Guide.
Nesting Access Templates
You can define permissions in an Access Template (AT) by including (nesting) other ATs. This reduces the work required if you need to create a new AT that is similar to an existing one. Instead of modifying an existing Template to add new permissions, you can nest it into a new AT.
This feature simplifies Access Template management by re-using the existing preconfigured or custom Access Templates. For example, if you need to add permissions to the predefined Help Desk Access Template, you can create a new Access Template, nest the Help Desk Access Template into the new Access Template, and add permissions to the new Access Template as needed.
To nest Access Templates to a given Access Template, use the Nesting tab in the Properties dialog for that Access Template.
The Nesting tab lists all Access Templates that are included (nested) in the selected Access Template, similar to the following figure:
Figure 8: Nesting Access Templates
Each entry in the list provides the following information:
You can manage the list on the Nesting tab by using the button beneath the list:
-
Add: Click this button to select Access Templates you want to nest into the Access Template being administered.
-
Remove: Select Access Templates from the list and click this button to remove them from the Access Template being administered.
-
View/Edit: Select an Access Template from the list and click this button to view or modify the selected Access Template.
From the Nesting tab, you can also access the following information:
-
All Permissions: Displays all permissions in the Access Template, including those that come from the nested Access Templates.
-
Nested In: Displays a list of Access Templates in which the Access Template is included due to nesting.