지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 7.4.1 - Access Templates Available out of the Box

Active Directory Data Management

You can use Access Templates in this category to delegate management tasks on the content that is stored in Active Directory. The data management tasks include, but are not limited to, managing user objects (users), computer objects (computers), and groups.

Table 6: Active Directory Data Management

Access Template

Description

All Objects - Full Control

Perform any administrative operation on any object in Active Directory.

This Access Template allows data owners to delegate control of Active Directory objects to data administrators who are responsible for carrying out all tasks required to manage the Active Directory contents.

All Objects - Read All Properties

List directory objects and view all properties of any object in Active Directory.

All Objects - View or Restore Deleted Objects

Apply this template to a container to allow viewing and restoring Active Directory objects that were deleted from that container.

Claim Types - Full Control

Create new claim types; perform all administrative operations on existing claim types. Claim types determine the claims to be issued for an Active Directory security principal upon its authentication. Claim types are used to define permissions when authoring claim-based access rules.

Claim Types - Modify All Properties

View or change all claim type properties.

Claim Types - Read All Properties

List claim types; view all claim type properties.

Computers - Create Computer Accounts

Create new computer accounts; view all properties of computer accounts.

Computers - Full Control

Create new computer accounts; perform all administrative tasks on existing computer accounts.

Computers - Modify All Properties

View or change all properties of computer accounts.

Computers - Move Computer Accounts

Move computer accounts; view all properties of computer accounts.

Computers - Read All Properties

List computer accounts. View all properties of computer accounts.

Computer - Reset Computer Accounts

Reset computer accounts; view all properties of computer accounts.

Contacts - Create Contacts

Create new contacts, view all properties of contacts.

Contacts - Full Control

Create new contacts; perform all administrative operations on existing contacts.

Contacts - Modify All Properties

View and modify all properties of contacts.

Contacts - Modify Picture

View or change the image of the contact (the thumbnailPhoto attribute of the contact object). View all properties of the contact object in the directory.

Contacts - Read All Properties

List contacts, view all properties of contacts.

Domains - Read All Properties

List domain objects; view all properties of domain objects.

gMSA - Full Control

Create new group Managed Service Accounts; perform all administrative operations on existing group Managed Service Accounts.

gMSA - Modify All Properties

View or change all properties of group Managed Service Accounts.

gMSA - Modify Membership Policy

View or change the list of computers and computer groups allowed to use a given group Managed Service Account.

gMSA - Read All Properties

List group Managed Service Accounts; view all properties of group Managed Service Accounts.

Groups - Add/Remove Members

View and modify lists of group members.

Groups - Create Groups

Create new groups, view all properties of groups.

Groups - Full Control

Create new groups; perform all administrative operations on existing groups.

Groups - Manage Dynamic Groups

Configure rules-based management of group membership lists; view all properties of groups; list groups in containers; list containers.

Groups - Modify All Properties

View and modify all properties of groups.

Groups - Modify Picture

View or change the image of the group (the thumbnailPhoto attribute of the group object). View all properties of the group object in the directory.

Groups - Perform Deprovision Tasks

Deprovision groups; view all properties of groups. This template is intended to delegate the use of the Deprovision command on groups without requiring the delegation of the create/delete operation.

Groups - Perform Undo Deprovision Tasks

Restore (un-deprovision) groups; view all properties of groups. This template is intended to delegate the use of the Undo Deprovisioning command on groups.

Groups - Read all Properties

List groups, view all properties of groups.

OUs - Create OUs

Create new Organizational Units; view all properties of Organizational Units.

OUs - Full Control

Create new Organizational Units; perform all administrative operations on existing Organizational Units.

OUs - Modify All Properties

View and modify all properties of Organizational Units.

OUs - Read All Properties

List Organizational Units; view all properties of Organizational Units.

Printers - Full Control

Create new printer queue objects; perform all administrative operations on existing printer queue objects.

Printers - Modify All Properties

View and modify all properties of printer queue objects.

Printers - Read All Properties

List printer queue objects; view all properties of printer queue objects.

Shared Folders - Full Control

Create new shared folder objects; perform all administrative operations on existing shared folder objects.

Shared Folders - Modify All Attributes

View and modify all properties of shared folder objects.

Shared Folders - Read All Properties

List shared folder objects; view all properties of shared folder objects.

Users - Create User Accounts

Create new user accounts; view all properties of user accounts.

Users - Delete User Accounts

Delete user accounts; view all properties of user accounts.

Users - Perform Deprovision Tasks

Deprovision user accounts and other user-related resources; view all properties of user accounts. This template is intended to delegate the use of the Deprovision command on user accounts without requiring the delegation of the create/delete operation.

Users - Perform Undo Deprovision Tasks

Restore (un-deprovision) user accounts; view all properties of user accounts. This template is intended to delegate the use of the Undo Deprovisioning command on user accounts.

Users - Full Control

Create new user accounts; perform all administrative operations on existing user accounts.

Users - Help Desk

Reset user passwords, unlock user accounts, assign or remove digital (X.509) certificates from user accounts, and view all properties of user accounts.

Recommended for implementing Help Desk. Data owners can use this Access Template to delegate day-to-day operations to the Help Desk service.

Users - Modify All Properties

View and modify all properties of user accounts.

Users - Modify Personal Data

Manage a basic set of HR-related properties in user accounts.

Users - Modify Picture

View or change the image of the user (the thumbnailPhoto attribute of the user account). View all properties of the user account in the directory.

Users - Move User Accounts

Move user accounts; view all properties of user accounts.

Users - Pager & Cell Phone Numbers

View and modify mobile phone and pager numbers in user accounts, view all properties of user accounts.

Users - Phone Number & Address

Modify the address settings and telephone numbers in user accounts; view all properties of user accounts.

Users - Read All Properties

List user accounts; view all properties of user accounts.

Users and Groups - Basic Management

List groups and user accounts, add/remove them into/from groups, reset user passwords, view and modify logon-related properties of user accounts.

Active Directory/Advanced: Computer Objects

Table 7: Active Directory/Advanced: Computer Objects

Access Template

Description

Computer Objects – Create

Create computer objects; no other permissions are included.

Computer Objects – Delete

Delete computer objects; no other permissions are included.

Computer Objects – List

List computer objects; no other permissions are included.

Computer Objects – Read/Write Account Restrictions

View and modify properties that describe account restrictions for computer objects (User-Account-Restrictions property set); no other permissions are included.

Property set members: See “User-Account-Restrictions Property Set” at http://msdn.microsoft.com/en-us/library/ms684412.aspx

Computer Objects – Read/Write General Information

View and modify properties that constitute general information for computer objects:

  • Computer name (pre-Windows 2000)
  • DNS name
  • Role
  • Description
  • The flags that control password, lockout, and disable/enable behavior (User-Account-Control attribute)

No other permissions are included.

Computer Objects – Read/Write Manager

View and modify what person is assigned to manage a computer (Managed-By attribute); no other permissions are included.

Computer Objects – Read/Write Personal Information

View and modify properties that describe personal information for computer objects (Personal-Information property set); no other permissions are included.

Property set members: See “Personal-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684394.aspx

Computer Objects – Read/Write Public Information

View and modify properties that describe public information for computer objects (Public-Information property set); no other permissions are included.

Property set members: See “Public-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684396.aspx

Computer Objects - Reset Computer Account

Reset computer accounts; no other permissions are included.

Computer Objects - View BitLocker Recovery Keys

Search for, and view all properties of, computer child objects each of which contains a Full Volume Encryption recovery password with its associated GUID. Use this template to delegate the task of retrieving BitLocker recovery keys that are stored in Active Directory.

Active Directory/Advanced: Contacts

Table 8: Active Directory/Advanced: Contacts

Access Template

Description

Contacts – Create

Create contact objects; no other permissions are included.

Contacts – Delete

Delete contact objects; no other permissions are included.

Contacts – Read Group Membership

View a list of groups to which a contact object belongs; no other permissions are included.

Contacts – Read/Write Organizational Information

View and modify properties that describe organizational information for contact objects:

  • Job title
  • Department
  • Company
  • Employee ID
  • Manager
  • Office location

No other permissions are included.

Contacts – Read/Write Personal Information

View and modify properties that describe personal information for contact objects (Personal-Information property set); no other permissions are included.

Property set members: See “Personal-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684394.aspx

Contacts – Read/Write Web Information

View and modify properties that describe Web-related information for contact objects (Web-Information property set); no other permissions are included.

Property set members: See “Web-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684418.aspx

Contacts – Rename

Rename contact objects; no other permissions are included.

Active Directory/Advanced: Domains

Table 9: Active Directory/Advanced: Domains

Access Template

Description

Domains – Change PDC

Change the PDC emulator role owner; no other permissions are included.

Domains – Delegate Control and Enforce Active Roles Policy

Apply Active Roles Access Templates and Policy Objects to a domain object; no other permissions are included.

Domains – Generate Resultant Set of Policy (Logging)

Generate Group Policy Results data for the users/computers within a given domain; no other permissions are included.

Domains – Generate Resultant Set of Policy (Planning)

Generate Group Policy Modeling data for the users/computers within a given domain; no other permissions are included.

Domains – List

List domain objects; no other permissions are included.

Domains – Read/Write General Information

View and modify properties that constitute general information for domain objects:

  • Domain name (pre-Windows 2000)
  • Description

No other permissions are included.

Domains – Read/Write Manager

View and modify what person is assigned to manage a domain (Managed-By attribute); no other permissions are included.

Domains – Read/Write Other Domain Parameters

View and modify properties that permit control to a list of domain attributes (Domain-Other-Parameters property set); no other permissions are included.

Property set members: See “Domain-Other-Parameters Property Set” at http://msdn.microsoft.com/en-us/library/ms684338.aspx

Domains – Read/Write Password & Lockout Policies

View and modify lockout and password age related properties on the domain user accounts (Domain-Password property set); no other permissions are included.

Property set members: See “Domain-Password Property Set” at http://msdn.microsoft.com/en-us/library/ms684341.aspx

관련 문서