This document lists the built-in Access Templates (ATs) installed with Active Roles 8.1.3.
This document lists the built-in Access Templates (ATs) installed with Active Roles 8.1.3.
To help delegating administrative permissions for Active Directory (AD), Azure Active Directory (Azure AD), Exchange, Starling, or other miscellaneous resources in your organization, the Active Roles Console provides a set of built-in Access Templates (ATs).
With ATs, you can simplify the delegation of administrative tasks by assigning low-level permissions to your organizational resources, allowing administrators to manage them in the scope of the assigned ATs as a single unit.
With the built-in ATs of the Active Roles Console, you can:
Delegate the most typical administrative roles within your organization. For more information on how to assign ATs, see Applying Access Templates in the Active Roles Administration Guide.
Create your own custom ATs by using the built-in ones as a baseline. For more information, see Creating an Access Template in the Active Roles Administration Guide.
The Configuration > Access Templates > Active Directory container of the Active Roles Console contains Access Templates (ATs) for delegating Active Directory (AD) service and data management tasks, for example:
User and group management.
Computer, printer queue and shared folder object management.
Forest and domain configuration management.
This container has two sub-containers:
Advanced contains special AD ATs with very granular permissions. For more information, see Active Directory – Advanced ATs.
Best Practices for Delegating Active Directory Administration contains ATs for delegating service management to the most typical AD service management roles. For the list of these ATs, see Active Directory – Best Practices ATs.
For more information about these best practices, their security sensitivity and impact, see the Microsoft Windows Server documentation.
For more information on how to configure these ATs within the Active Roles Console, see the Description of the applicable AT.
IMPORTANT: Consider the following when configuring Active Directory ATs:
To ensure that all appropriate permission entries are added to AD when configuring service management-specific ATs, always select the Propagate permissions to Active Directory option in the Permissions Propagation step of the Delegation of Control Wizard.
Figure 1: Delegation of Control Wizard – Permissions propagation
For more information on how to configure ATs for resource objects in your organization with the Active Roles Console, see Applying Access Templates in the Active Roles Administration Guide.
Active Roles does not support configuring ATs for the Schema container. To do so, use native Microsoft tools, such as ADSI Edit.
To delegate data management tasks for the resources stored in your Active Directory AD environment, use the Access Templates (ATs) in the root of the Configuration > Access Templates > Active Directory container of the Active Roles Console. Such data management tasks include managing users, groups, printers, or computers.
Access Template |
Description |
All Objects - Full Control |
Grants full permission to perform any administrative operation on any object in AD. TIP: Use this AT to delegate complete permission to data administrators who are expected to carry out any and all AD content management tasks in your organization. |
All Objects - Read All Properties |
Grants the following permissions:
|
All Objects - View or Restore Deleted Objects |
Grants the permission to view or restore AD objects deleted from a container. TIP: Apply this AT to the container whose deleted objects the data administrators should be able to view or restore. For more information on how to configure ATs for resource objects in your organization with the Active Roles Console, see Applying Access Templates in the Active Roles Administration Guide. |
Claim Types - Full Control |
Grants full permission to:
Claim types determine the claims to issue for an AD security principal upon its authentication, and are used to define permissions when authoring claim-based access rules. |
Claim Types - Modify All Properties |
Grants permission to view or change all claim type properties. |
Claim Types - Read All Properties |
Grants permission to list claim types and view all claim type properties. |
Computers - Create Computer Accounts |
Grants the following permissions:
|
Computers - Full Control |
Grants full permission to:
|
Computers - Modify All Properties |
Grants permission to view or change all properties of computer accounts. |
Computers - Move Computer Accounts |
Grants the following permissions:
|
Computers - Read All Properties |
Grants the following permissions:
|
Computer - Reset Computer Accounts |
Grants the following permissions:
|
Contacts - Create Contacts |
Grants the following permissions:
|
Contacts - Full Control |
Grants full permission to:
|
Contacts - Modify All Properties |
Grants permission to view or modify all contact properties. |
Contacts - Modify Picture |
Grants the following permissions:
|
Contacts - Read All Properties |
Grants the following permissions:
|
Domains - Read All Properties |
Grants the following permissions:
|
gMSA - Full Control |
Grants full permission to:
|
gMSA - Modify All Properties |
Grants permission to view or change all gMSA properties. |
gMSA - Modify Membership Policy |
Grants permission to view or change the list of computers and computer groups allowed to use a specific gMSA. |
gMSA - Read All Properties |
Grants the following permissions:
|
Groups - Add/Remove Members |
Grants permission to view or modify the members of groups. |
Groups - Create Groups |
Grants the following permissions:
|
Groups - Full Control |
Grants full permission to:
|
Groups - Manage Dynamic Groups |
Grants the following permissions:
|
Groups - Modify All Properties |
Grants permission to view or modify all group properties. |
Groups - Modify Picture |
Grants the following permissions:
|
Groups - Perform Deprovision Tasks |
Grants the following permissions:
TIP: Use this AT to delegate group deprovisioning permissions to data administrators without also delegating group create and group delete permissions. |
Groups - Perform Undo Deprovision Tasks |
Grants the following permissions:
TIP: Use this AT to delegate the permission of performing the Undo Deprovisioning command on groups only. |
Groups - Read all Properties |
Grants the following permissions:
|
OUs - Create OUs |
Grants the following permissions:
|
OUs - Full Control |
Grants full permission to:
|
OUs - Modify All Properties |
Grants permission to view or modify all OU properties. |
OUs - Read All Properties |
Grants the following permissions:
|
Printers - Full Control |
Grants full permission to:
|
Printers - Modify All Properties |
Grants permission to view or modify all printer queue properties. |
Printers - Read All Properties |
Grants the following permissions:
|
Shared Folders - Full Control |
Grants full permission to:
|
Shared Folders - Modify All Attributes |
Grants permissions to view or modify all shared folder properties. |
Shared Folders - Read All Properties |
Grants the following permissions:
|
Users - Create User Accounts |
Grants the following permissions:
|
Users - Delete User Accounts |
Grants the following permissions:
|
Users - Full Control |
Grants full permission to:
|
Users - Help Desk |
Grants the following permissions:
TIP: One Identity recommends using this AT to delegate permissions required for the day-to-day operations of your helpdesk service. |
Users - Modify All Properties |
Grants permission to view or modify all user account properties. |
Users - Modify Personal Data |
Grants permission to manage the basic HR-related properties of user accounts. |
Users - Modify Picture |
Grants the following permissions:
|
Users - Move User Accounts |
Grants the following permissions:
|
Users - Pager & Cell Phone Numbers |
Grants the following permissions:
|
Users - Perform Deprovision Tasks |
Grants the following permissions:
TIP: Use this AT to delegate user deprovisioning permissions to data administrators without also delegating user create and user delete permissions. |
Users - Perform Undo Deprovision Tasks |
Grants the following permissions:
TIP: Use this AT to delegate the permission of performing the Undo Deprovisioning command on user accounts only. |
Users - Phone Number & Address |
Grants the following permissions:
|
Users - Read All Properties |
Grants the following permissions:
|
Users and Groups - Basic Management |
Grants the following permissions:
|
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Términos de uso Privacidad Cookie Preference Center