Use Access Templates to grant permissions to users and groups. When you add a user to an Access Template, you add all the attributes and permissions of that template to that user. When you apply Access Templates to a folder, you configure the permission settings to propagate from the folder to its child objects, down the directory structure.
You can implement a delegation scheme by applying Access Templates (ATs) included with the Integration Pack. For example, to delegate all UNIX-related management tasks on Windows user accounts, link the Users - Modify All UNIX Properties AT to a certain Organizational Unit and select the appropriate group as Trustee. As a result, any member of that group is authorized to perform the tasks on any user account held in that Organizational Unit.
To delegate rights to manage UNIX objects
-
In the ActiveRoles Server Console, navigate to Active Directory.
-
From the Action menu, choose Delegate Control.
-
On the Access Template links page, click Add.
-
When the Delegation of Control Wizard starts, click Next.
The Delegation of Control Wizard helps you delegate control of directory objects. Give permission to manage users, groups, computers, organizational units, and other objects administered with ActiveRoles Server.
-
On the Users or Groups page, click Add.
-
On the Select Objects page, click the link to display the objects.
-
Select objects you want to add, click Add, then OK.
-
On the Users or Groups page, click Next.
-
On the Access Templates page, expand Safeguard Authentication Services Integration v2.x, and select Group or User or both and click Next.
-
On the Inheritance Options page, specify whether you want child objects to inherit the permission settings from the selected Access Templates and click Next.
-
On the Permissions Propagation page, leave the Propagate permissions to Active Directory option clear and click Next.
-
On the Complete page, click Finish.
-
To return to the Console, on the Access Template links page, click OK.
Users or groups with delegated rights to manage UNIX objects can block, unblock, or change UNIX attributes on users and groups in either the ActiveRoles Server Console or the Web Interface.
NOTE: Each delegated user must have read access to the application configuration.