If an attribute is flagged as Confidential in Active Directory, Active Roles Access Templates which should be able to delegate read permissions or any access other than Full Control do not function as expected. Instead, the trustee is not able to view any values of this attribute.
It is possible to programmatically populate an Access Template with the specific Extended Rights permission needed to view attributes which are flagged with as confidential in Active Directory. This must be done programmatically, as only a generic Extended Rights permission can be delegated though the Active Roles Console, and this would allow all of the following:
In order to populate an Access Template programmatically, a blank Access Template must first be created at a known location. The below script assumes that an Access Template named TestAT has been created in the root of the default Access Template container. This should be changed to match an actual Access Template name. The script is setting the necessary access for a custom Active Directory attribute called ssn. This should also be changed to match an actual attribute which is flagged as confidential.
This has been resolved in Active Roles 7.1. After upgrading to Active Roles 7.2.1 and later versions, Active Roles will handle confidential attributes just like any other attribute: if access is granted via any Access Template, then the trustee will be able to see the values stored in that attribute.
If it is desired to prevent view access for all but some trustees, even if they have been granted a View All Properties Access Template, then it is possible to implement an Access Rule as per this resource.