Predefined specifiers
Active Roles comes with a collection of predefined specifiers that determine the default resource profile configuration. The pre-defined specifiers are located in the Configuration > Server Configuration > Entitlement Profile Specifiers > Builtin container, and can be administered using the Active Roles Console. You can make changes to a predefined specifier (see Changing entitlement profile specifiers) or you can apply the Disable command for the specifier to have no effect.
NOTE: Predefined specifiers cannot be deleted.
The predefined specifiers have a lower priority than customer-created specifiers. This means the entitlement rules of customer-created specifiers are evaluated first, so that if a given entitlement target object matches the entitlement rules of both a predefined specifier and a customer-created specifier, the latter specifier is applied. The priority of specifiers is governed by the edsaPriority attribute setting. For more information, see About entitlement profile build process.
The following table provides information about the predefined specifiers. For each specifier, the table lists the specifier’s name, description, entitlement type and rules, and resource display settings.
Table 55: Predefined specifiers
Name: Self - Exchange Mailbox
Description: Specifies user entitlement to Exchange mailbox. |
Type: Personal resource entitlement
Rules: Entitlement target object is an Exchange mailbox enabled user account. |
Resource type name: Exchange Mailbox
Resource naming attribute: mail
Other resource-related attributes:
|
Name: Self - Home Folder
Description: Specifies user entitlement to home folder. |
Type: Personal resource entitlement
Rules: Entitlement target object has the homeDirectory attribute set. |
Resource type name: Home Folder
Resource naming attribute: homeDirectory
Other resource-related attributes:
|
Name: Self - Unix Account
Description: Specifies user entitlement to Unix-enabled account. |
Type: Personal resource entitlement
Rules: Entitlement target object has the uidNumber attribute set AND has a loginShell attribute value other than /bin/false. |
Resource type name: Unix-enabled Account
Resource naming attribute: userPrincipalName
Other resource-related attributes:
-
userPrincipalName
-
uidNumber
-
gidNumber
-
unixHomeDirectory
-
loginShell |
Name: Self - OCS Account
Description: Specifies user entitlement to Office Communications Server enabled account. |
Type: Personal resource entitlement
Rules: Entitlement target object has the msRTCSIP-UserEnabled attribute set to TRUE. |
Resource type name: Enabled for Office Communications Server
Resource naming attribute: msRTCSIP-PrimaryUserAddress
Other resource-related attributes:
|
Name: Membership - Member of Security Group
Description: Specifies entitlement to a resource via membership in a security group. |
Type: Shared resource entitlement
Rules: Entitlement target object is a security group.
This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the shared resource entitlement type are evaluated prior to the rules of this specifier. |
Resource type name: Member of Security Group
Resource naming attribute: name
Other resource-related attributes:
|
Name: Membership - Access to SharePoint Site
Description: Specifies entitlement to a SharePoint site via membership in a certain security group. |
Type: Shared resource entitlement
Rules: Entitlement target object is a security group that has the edsva-SP-MirrorType attribute set. |
Resource type name: Access to SharePoint Site
Resource naming attribute: name
Other resource-related attributes:
|
Name: Managed By - Owner of Security Group
Description: Specifies entitlement to the manager or owner role for a security group. |
Type: Managed resource entitlement
Rules: Entitlement target object is a security group. |
Resource type name: Owner of Security Group
Resource naming attribute: name
Other resource-related attributes:
|
Name: Managed By - Owner of Distribution List
Description: Specifies entitlement to the manager or owner role for a distribution group. |
Type: Managed resource entitlement
Rules: Entitlement target object is an Exchange mail enabled (distribution) group. |
Resource type name: Owner of Distribution List
Resource naming attribute: displayName
Other resource-related attributes:
|
Name: Managed By - Owner of Resource Exchange Mailbox
Description: Specifies entitlement to the owner role for a room, equipment, or shared mailbox. |
Type: Managed resource entitlement
Rules: Entitlement target object is a user account associated with a room, equipment or shared mailbox. |
Resource type name: Owner of Resource Exchange Mailbox
Resource naming attribute: displayName
Other resource-related attributes:
|
Name: Managed By - Owner of Exchange Contact
Description: Specifies entitlement to the owner role for an Exchange mail contact. |
Type: Managed resource entitlement
Rules: Entitlement target object is an Exchange mail contact. |
Resource type name: Owner of Exchange Contact
Resource naming attribute: displayName
Other resource-related attributes:
-
displayName
-
givenName
-
sn
-
mail
-
telephoneNumber
-
company
-
edsvaParentCanonicalName |
Name: Managed By - Owner of Computer
Description: Specifies entitlement to the manager or owner role for a computer. |
Type: Managed resource entitlement
Rules: Entitlement target object is a computer account. |
Resource type name: Owner of Computer
Resource naming attribute: name
Other resource-related attributes:
-
name
-
dNSHostName
-
description
-
operatingSystem
-
edsvaParentCanonicalName |
Name: Managed By - Default
Description: Default specifier for entitlement to the manager or owner role. |
Type: Managed resource entitlement
Rules: No rules specified, which means that any object is regarded as matching the entitlement rules of this specifier.
This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the managed resource entitlement type are evaluated prior to the rules of this specifier. |
Resource type name: Owner of <target object class display name>
Resource naming attribute: name
Other resource-related attributes:
-
name
-
description
-
edsvaParentCanonicalName |
Viewing entitlement profile
A user’s entitlement profile can be accessed from the Active Roles Console or Web Interface, allowing you to quickly examine resources to which the user is entitled:
-
In the Console, right-click the user and click Entitlement Profile. Alternatively, click Entitlement Profile on the Managed Resources tab in the Properties dialog for the user account.
-
In the Web Interface, click the user, and then choose Entitlement Profile from the list of commands.
This opens the Entitlement Profile page that lists the user’s resources grouped in expandable blocks by resource type. Each block may be a section that represents a single resource, or it may comprise a number of sections each of which represents a single resource. The grouping of sections occurs for resources of the same type. For example, the security groups in which the user has membership may be grouped together in a single block, with each group being represented by a separate section.
Initially, each block or section displays only a heading that includes the following items:
-
Resource icon: Graphics that helps distinguish the type of the resource.
-
Resource type: Text string that identifies the type of the resource.
-
Resource name: Text string that identifies the name of the resource, or indicates that the block comprises multiple resource-specific sections.
To view resource details, click the heading of a block or section.
Out of the box, Active Roles is configured so that a user’s entitlement profile displays the user’s entitlements to the resources listed in the table that follows. Active Roles administrators can configure the entitlement profile to display information about additional resources. If a user is not entitled to any resources of a particular type, then the user’s entitlement profile does not contain the sections specific to that resource type. For example, if a user does not have an Exchange mailbox, then the user’s entitlement profile does not contain information about the user’s mailbox.
Table 56: User resources
Exchange Mailbox |
E-mail address of mailbox |
|
Home Folder |
Path and name of home folder |
|
Unix-enabled Account |
User principal name |
|
Enabled for Office Communications Server |
Live communications address |
|
Member of Security Group |
Group name |
-
Group name
-
Group display name
-
Group description
-
Group notes
-
Resource address (URL)
-
Group’s "Managed By" setting
-
Group’s "Is Published" setting
-
Group’s "Approval by Primary Owner Required" setting
-
Group location ("In Folder" setting) |
Access to SharePoint Site |
Group name |
-
Group name
-
SharePoint site name
-
SharePoint site address (URL)
-
Group’s "Managed By" setting
-
Group’s "Is Published" setting
-
Group’s "Approval by Primary Owner Required" setting
-
Group location (group’s "In Folder" setting) |
Owner of Security Group |
Group name |
-
Group name
-
Group display name
-
Group description
-
Group notes
-
Resource address (URL)
-
Group’s "Managed By" setting
-
Group’s "Is Published" setting
-
Group’s "Approval by Primary Owner Required" setting
-
Group location ("In Folder" setting) |
Owner of Distribution List |
Group display name |
-
Group display name
-
Group e-mail address
-
Group description
-
Group notes
-
Group’s "Managed By" setting
-
Group’s "Is Published" setting
-
Group’s "Approval by Primary Owner Required" setting
-
Group location ("In Folder" setting) |
Owner of Resource Exchange Mailbox |
Mailbox display name |
|
Owner of Exchange Contact |
Contact display name |
|
Owner of Computer |
Computer name |
|
Owner of Resource (default) |
Managed object’s name |
|
Authorizing access to entitlement profile
By default, permission to view the entitlement profile is given to Active Roles Admin, the administrative account or group specified during Active Roles installation. Other users or groups can also be permitted to view the entitlement profile. A dedicated Access Template is provided for this purpose so that you can allow the use of the Entitlement Profile command by designated users or user groups.
To permit particular users or groups to view the entitlement profile of the users held in a certain container, such as an Organizational Unit or a Managed Unit, apply the Access Template as follows.
To authorize access to the entitlement profile
-
In the Active Roles Console, right-click the container and click Delegate Control to display the Active Roles Security window.
-
In the Active Roles Security window, click Add to start the Delegation of Control Wizard.
-
In the wizard, click Next.
-
On the Users or Groups page, click Add, and then select the desired users or groups.
-
Click Next.
-
On the Access Templates page, expand the Active Directory > Advanced folder, and then select the check box next to Users - View Entitlement Profile (Extended Right).
-
Click Next and follow the instructions in the wizard, accepting the default settings.
After you complete these steps, the users and groups you selected in Step 4 are authorized to view the entitlement profile of the users held in the container you selected in Step 1, as well as in any sub-container of that container.
Recycle Bin
Active Roles builds on Active Directory Recycle Bin, a feature of Active Directory Domain Services introduced in Microsoft Windows Server 2008 R2, to facilitate the restoration of deleted objects. When Recycle Bin is enabled, Active Roles makes it easy to undo accidental deletions, reducing the time, costs, and user impact associated with the recovery of deleted objects in Active Directory.
The use of Active Roles in conjunction with Active Directory Recycle Bin helps minimize directory service downtime caused by accidental deletions of directory data. Recycle Bin provides the ability to restore deleted objects without using backups or restarting domain controllers and a user interface featured by Active Roles expedites locating and recovering deleted objects from Recycle Bin. Flexible and powerful mechanisms provided by Active Roles for administrative tasks delegation, enforcement of policy rules and approvals, and change tracking ensure tight control of the recovery processes.
To undo deletions, Active Roles relies on the ability of Active Directory Recycle Bin to preserve all attributes, including the link-valued attributes, of the deleted objects. This makes it possible to restore deleted objects to the same state they were in immediately before deletion. For example, restored user accounts regain all group memberships that they had at the time of deletion.
Active Roles can be used to restore deleted objects in any managed domain that has Active Directory Recycle Bin enabled. This requires the forest functional level of Windows Server 2012, so all the forest domain controllers must be running Windows Server 2012. In a forest that meets these requirements, an administrator can enable Recycle Bin by using the Active Directory module for Windows PowerShell in Windows Server 2012. For more information about Active Directory Recycle Bin, see What’s New in AD DS: Active Directory Recycle Bin in the Microsoft Windows Server 2008 documentation.