Managing Access Template links
When applying an Access Template, Active Roles creates an Access Template link. Thus, administrative rights are specified by linking Access Templates to securable objects, such as Managed Units, directory folders (containers), or individual (leaf) objects.
Each Access Template link includes the identifier (SID) of the security principal—user or group—to which the specified administrative rights are assigned. When an Access Template link is created, the user or group becomes a Trustee over the collection of objects or the folder to which the Access Template is linked, with permissions specified by that Access Template.
When an Access Template is modified or no longer applied, the permission information on objects affected by the Access Template changes accordingly.
You can display a list of Access Template links starting from one of the following points:
-
Access Template: Right-click an Access Template and click Links.
This displays the links in which the Access Template occurs.
-
Security principal (Trustee): Right-click a group or user, and click Delegated Rights.
This displays the links in which the group or user occurs as a Trustee either directly or due to group memberships.
-
Securable object: Right-click a container object or Managed Unit and click Delegate Control. For a leaf object, open the Properties dialog, go to the Administration tab, and click Security.
This displays the links in which the selected object occurs as a securable object (referred to as Directory Object).
Another way to see a list of Access Template links is to use the advanced details pane. Ensure that Advanced Details Pane is checked on the View menu, and then select one of the following:
-
Access Template
The Links tab lists the links in which the selected Access Template occurs.
-
Other object (Managed Unit, container, or leaf object).
The Active Roles Security tab lists the links in which the selected object occurs as a securable object (referred to as Directory Object).
The Active Roles Console displays a list of Access Template links in a separate window. Thus, the Active Roles Security window is displayed when you start from a securable object (for example, by clicking a Managed Unit or Organizational Unit and then clicking Delegate Control).
Each entry in the list of the Access Template links includes the following information:
-
Trustee: The link defines administrative rights of this security principal (group or user).
-
Access Template: The Access Template that determines the rights of the Trustee.
-
Directory Object: The link defines the rights of the Trustee to this securable object.
-
Sync to Native Security: Indicates whether the permissions are synced to Active Directory.
-
Disabled: Indicates whether the link is disabled. If a link is disabled, the permissions defined by that link have no effect.
-
Access Rule: Indicates whether an Access Rule is applied to this link. For more information, see Windows claims-based access rules).
The Active Roles Security window (as well as the Active Roles Security tab in the advanced details pane) lists the links of these categories:
-
Direct links: The Access Template is applied (linked) directly to the securable object you have selected.
-
Inherited links: The Access Template is applied (linked) to a container in the hierarchy of containers above the securable object you have selected, or to a Managed Unit to which the securable object belongs.
The links inherited from parent objects can be filtered out of the list:
-
When using the Active Roles Security window, clear the Show inherited check box.
-
When using the Active Roles Security tab, right-click the list and then click Show Inherited to deselect the menu item.
A window or tab that displays Access Template links allows you to manage links. In a window, you can use buttons beneath the list. In a tab, you can right-click a list entry or a blank area, and then use commands on the shortcut menu. For example, the following buttons appear in the Active Roles Security window:
-
Add: Starts the Delegation of Control Wizard to create apply Access Templates.
-
Remove: Deletes the selected entries from the list of links. Available for direct links only.
-
View/Edit: Displays the dialog to view or modify link properties such as permissions inheritance and propagation options.
-
Sync to AD: Toggles the permissions propagation option of the links selected in the list.
-
Disable: Disables or enables the link. If a link is disabled, the permissions specified by the link takes no effect.
TIP: In the Active Roles Security dialog box, the Remove button is available on direct links only. When you need to delete links, it is advisable to manage them using the Links command on the Access Template.
Steps for managing Access Template links
When you apply an Access Template (see Applying Access Templates), Active Roles creates an object, referred to as an Access Template link that stores information about the Access Template, the directory object on which the Access Template is applied, and the user or group (Trustee) to whom the permissions are assigned. Basically, the management of permission settings in Active Roles comes to the management of Access Templates and Access Template links. This topic provides some instructions you can use to view or modify Access Template links.
To view or modify Access Template links in which a given Access Template occurs
-
Right-click the Access Template, and click Links.
-
In the Links dialog, do the following:
-
To create a new link, click Add and follow the steps in the Delegation of Control Wizard to apply an Access Template. For more information, see Applying Access Templates.
-
To delete a link, select it from the list and click Remove.
-
To view or modify the inheritance and synchronization settings for a link, select the link and click View/Edit.
-
To change the synchronization setting for a link, select the link and click Sync to AD or Desync to AD.
-
To remove or restore the effect of a link, select the link and click Disable or Enable, respectively.
To view or modify Access Template links on a given object
-
Open the Active Roles Security dialog box for the object:
-
Right-click the object, and click Delegate Control.
OR
-
Right-click the object, and click Properties. Then, on the Administration tab in the Properties dialog box, click Security.
-
In the Active Roles Security dialog box, do the following:
-
To create a new link, click Add and follow the steps in the Delegation of Control Wizard to specify permission settings on the object by using an Access Template. For more information, see Applying Access Templates.
-
To delete a link, select it from the list and click Remove.
-
To view or modify the inheritance and synchronization settings for a link, select the link and click View/Edit.
-
To change the synchronization setting for a link, select the link and click Sync to AD or Desync to AD.
-
To remove or restore the effect of a link, select the link and click Disable or Enable, respectively.
To view or modify Access Template links for a given user or group
-
Right-click the user or group, and click Delegated Rights.
-
In the Delegated Rights dialog, do the following:
-
To create a new link, click Add and follow the steps in the Delegation of Control Wizard to specify permissions for the user or group by using an Access Template. For more information, see Applying Access Templates.
-
To delete a link, select it from the list and click Remove.
-
To view or modify the inheritance and synchronization settings for a link, select the link and click View/Edit.
-
To change the synchronization setting for a link, select the link and click Sync to AD or Desync to AD.
-
To remove or restore the effect of a link, select the link and click Disable or Enable, respectively.
NOTE: Consider the following when managing Access Template links:
-
By default, the Active Roles Security dialog for an object lists all the links that determine the permission settings on the object, regardless of whether a link was created on the object itself or on a container or Managed Unit that holds the object. To change the display of the list, clear the Show inherited check box.
-
In the Active Roles Security dialog, only direct links can be removed, that is, a link can be removed if the link was created on the object itself (not inherited from a container or Managed Unit). Only direct links are displayed when you clear the Show inherited check box, so you can delete them by clicking Remove.
-
In the Active Roles Security dialog, the Remove button is available only on direct links. When you need to delete links, it is advisable to manage this by using the Links command on the Access Template or by using the Delegated Rights command on the Trustee (user or group). Alternatively, you can delete a link by using View/Edit: Select the link and click View/Edit; then, click Properties next to the Access Template box; then, on the Administration tab, click Links, and, finally, delete the link from the Links dialog.
-
In the Active Roles Security dialog, the Sync to AD button is available only on direct links. When you need to change synchronization status of a link, it is advisable to manage this by using the Links command on the Access Template or by using the Delegated Rights command on the Trustee (user or group). Alternatively, you can change the synchronization status of a link by using View/Edit: Select the link and click View/Edit; then, on the Synchronization tab, select or clear Propagate permissions to Active Directory.
-
Clicking View/Edit displays the Properties dialog for the selected link. This dialog can be considered as a focal point for administration of all elements of the link. Thus, from the Properties dialog, you can access the properties of the directory object, Access Template and Trustee that are covered by the link, view or modify the settings found on the Inheritance Options and Permissions Propagation pages in the Delegation of Control Wizard, and enable or disable the link.
-
You can also manage Access Template links on the Links or Active Roles Security tab in the Advanced Details Pane, which allows you to perform the same tasks as the Links or Active Roles Security dialog, respectively. Right-click a link or a blank area on the tab, and use command on the shortcut menu. The Links tab is displayed when you select an Access Template. Otherwise, the Active Roles Security tab is displayed. To display the Advanced Details Pane, check Advanced Details Pane on the View menu. For more information, see Advanced pane.
Synchronizing permissions to Active Directory
Active Roles provides the option to keep Active Directory native security updated with selected permissions specified using Access Templates. This option, referred to as "permissions Propagation", is intended to provision users and applications with native permissions to Active Directory. The normal operation of Active Roles does not rely on this option.
You can set the permissions propagation option in two ways:
-
When applying Access Templates, you can select the Propagate permissions to Active Directory check box in the Delegation of Control Wizard.
-
When managing Access Template links, you can use the Sync to AD button in a window that displays a list of links or use the Sync to AD command on a tab that displays a list of links in the Advanced Details Pane.
For example, suppose Active Roles defines certain permissions on an Organizational Unit (OU), and you want to synchronize them to Active Directory. You can accomplish this task as follows.
First, right-click the OU and click Delegate Control to display the Active Roles Security window.
Next, in the Access Template links list, select the links that define the permissions you want to synchronize.
Finally, click the Sync to AD button. The Sync to Native Security column in the list displays Yes for the links that you are going to synchronize.
After you click OK, Active Roles creates permission entries in Active Directory so that the Trustee has the same rights in Active Directoryas it has in the Active Roles environment in accordance with the Access Template links you have synchronized.
You can stop synchronization of permissions at any time by clicking the Desync to AD button. If you do so, Active Roles deletes all permission entries in Active Directory that were created as a result of synchronization.
TIP: In the Active Roles Security dialog, the Sync to AD button is only available on direct links. When you need to synchronize links, it is advisable to manage them using the Links command on the Access Template.
You can also accomplish this task using the Advanced Details Pane as follows:
-
Select the OU.
-
On the Active Roles Security tab, select the Access Template links that define the permissions you want to synchronize.
-
Right-click the selection and click Sync to AD.
You can use the Sync to AD command to stop synchronization: right-click the links you want to no longer be synchronized, and click Desync to AD.
TIP: On the Active Roles Security tab, the Sync to AD command is available on direct links only. When you need to synchronize links, it is advisable to manage them using the Links tab for the Access Template.
Steps for synchronizing permissions to Active Directory
Active Roles provides the option to keep Active Directory native security updated with selected permission settings that are specified by using Access Templates. This option, referred to as "permission propagation", is intended to provision users and applications with native permissions to Active Directory. The normal operation of Active Roles does not rely on this option.
You can set the permissions propagation option as follows:
-
When applying an Access Template, select the Propagate permissions to Active Directory check box in the Delegation of Control Wizard. For more information, see Applying Access Templates.
-
When managing Access Template links, use the Sync to AD button in the dialog that displays a list of links. For more information, see Steps for managing Access Template links.
As an example, you can use the following instructions to set the permissions propagation option on the permission settings that are defined by applying a certain Access Template to an Organizational Unit (OU):
To synchronize permission settings on an OU
-
Right-click the OU and click Delegate Control.
-
In the Active Roles Security dialog, select the Access Template link that determines the permission settings you want to synchronize to Active Directory, and then click Sync to AD.
-
Click OK to close the Active Roles Security dialog box.
NOTE: Consider the following when configuring permission propagation:
-
When synchronizing permissions to Active Directory, Active Roles creates permission entries in Active Directory so that the Trustee has the same rights in Active Directory as it has in the Active Roles environment as per the Access Template links you have synchronized.
-
You can stop synchronization of permissions at any time by clicking the Desync to AD button. If you do so, Active Roles deletes all permission entries in Active Directory that were created as a result of synchronization.
-
You can also manage the permissions propagation option on the Links or Active Roles Security tab in the Advanced Details Pane, which allows you to perform the same tasks as the Links or Active Roles Security dialog, respectively. Right-click the link on which you want to set the permissions propagation option, and click Sync to AD to start synchronization or Desync to AD to stop synchronization. The Links tab is displayed when you select an Access Template. Otherwise, the Active Roles Security tab is displayed. To display the Advanced Details Pane, check Advanced Details Pane on the View menu. For more information, see Advanced pane.