Return
-
Title
What are the minimum permissions required to allow delegated administrators to link Access Templates? -
Description
You may wish to allow delegated administrators to create and link access templates without granting them Active Roles Service account the Administrators permission.
-
Resolution
- In ARS MMC Console, select View | Mode and then select Raw Mode
-
Create a new Access Templates and add the following permissions to it:
All Classes – Write Control
-
Create a new Access Templates and add the following permissions to it:
All Classes – Read Control
-
Select the Access Templates container and grant the following permissions to the delegated administrators:
All objects - read all properties.
NOTE: This will allow your delegated admins vew all the Access Templates.
If you want to limit the number of Access Templates visible to delegated administrators, apply the Special - Block Permission Inheritance Access Template to each Access Template container you want to hide.
-
Select the target domain and grant the following permissions to the delegated administrators:
All objects - read all properties
-
For each OU where the delegated administrators will apply access templates, delegate the following permission using Access Template created in Step 2:
All Classes – Write Control
-
For each OU where the delegated administrators need to view the applied Access Templates, grant the following permission using Access Template created in Step 3:
All Classes – Read Control