Use Access Templates to grant permissions to users and groups. When you add a user to an Access Template, you add all the attributes and permissions of that template to that user. When you apply Access Templates to a folder, you configure the permission settings to propagate from the folder to its child objects, down the directory structure.
You implement a delegation scheme by applying Access Templates included with the Integration Pack. For example, to delegate all Unix-related management tasks on (missing or bad snippet) user accounts, link the Users - Modify All Unix Properties Access Template to a certain organizational unit and select the appropriate group as Trustee. As a result, any member of that group is authorized to perform the tasks on any user account held in that organizational unit.
To delegate rights to manage Unix objects
- From the ActiveRoles Server Console, navigate to Active Directory.
- From the Action menu, choose Delegate Control
- On the Access Template links page, click Add.
- When the Delegation of Control Wizard starts, click Next.
The Delegation of Control Wizards helps you delegate control of directory objects. Grant permission to manage users, groups, computers, organizational units, and other objects administered with ActiveRoles Server.
- On the Users or Groups page, click Add
- On the Select Objects page, click the link to display the objects.
- Select objects, click Add and then OK.
- On the Users or Groups page, click Next.
- On the Access Templates page, expand Safeguard Authentication Services Integration v2.x and select Group or User or both and click Next.
- On the Inheritance Options page, specify whether you want child objects to inherit the permission settings from the selected Access Templates and click Next.
- On the Permissions Propagation page, leave the Propagate permissions to Active Directory option unselected and click Next.
- On the "Complete" page, click Finish if you are satisfied with the delegation of control.
- On the Access Template links page, click OK to return to the console
Users or groups with delegated rights to manage Unix objects can enable, disable, or change Unix attributes on users and groups in either the ActiveRoles Server Console or the Web interface.
|
NOTE: Each delegated user must have read access to the application configuration. |