Pre-defined specifiers
Active Roles comes with a collection of pre-defined specifiers that determine the default resource profile configuration. The pre-defined specifiers are located in the Configuration/Server Configuration/Entitlement Profile Specifiers/Builtin container, and can be administered using the Active Roles console. You can make changes to a pre-defined specifier (see Changing entitlement profile specifiers) or you can apply the Disable command for the specifier to have no effect. Note that pre-defined specifiers cannot be deleted.
The pre-defined specifiers have a lower priority than customer-created specifiers. This means the entitlement rules of customer-created specifiers are evaluated first, so that if a given entitlement target object matches the entitlement rules of both a pre-defined specifier and a customer-created specifier, the latter specifier is applied. The priority of specifiers is governed by the edsaPriority attribute setting (see About entitlement profile build process).
The following table provides information about the pre-defined specifiers. For each specifier, the table lists the specifier’s name, description, entitlement type and rules, and resource display settings.
Table 94: Pre-defined specifiers
|
Name:
Self - Exchange Mailbox
Description:
Specifies user entitlement to Exchange mailbox. |
Type:
Personal resource entitlement
Rules:
Entitlement target object is an Exchange mailbox enabled user account. |
Resource type name:
Exchange Mailbox
Resource naming attribute:
mail
Other resource-related attributes:
|
|
Name:
Self - Home Folder
Description:
Specifies user entitlement to home folder. |
Type:
Personal resource entitlement
Rules:
Entitlement target object has the homeDirectory attribute set. |
Resource type name:
Home Folder
Resource naming attribute:
homeDirectory
Other resource-related attributes:
|
|
Name:
Self - Unix Account
Description:
Specifies user entitlement to Unix-enabled account. |
Type:
Personal resource entitlement
Rules:
Entitlement target object has the uidNumber attribute set AND has a loginShell attribute value other than /bin/false. |
Resource type name:
Unix-enabled Account
Resource naming attribute:
userPrincipalName
Other resource-related attributes:
- userPrincipalName
- uidNumber
- gidNumber
- unixHomeDirectory
- loginShell
|
|
Name:
Self - OCS Account
Description:
Specifies user entitlement to Office Communications Server enabled account. |
Type:
Personal resource entitlement
Rules:
Entitlement target object has the msRTCSIP-UserEnabled attribute set to TRUE. |
Resource type name:
Enabled for Office Communications Server
Resource naming attribute:
msRTCSIP-PrimaryUserAddress
Other resource-related attributes:
- msRTCSIP-PrimaryUserAddress
- edsva-OCS-Pool
|
|
Name:
Membership - Member of Security Group
Description:
Specifies entitlement to a resource via membership in a security group. |
Type:
Shared resource entitlement
Rules:
Entitlement target object is a security group.
This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the shared resource entitlement type are evaluated prior to the rules of this specifier. |
Resource type name:
Member of Security Group
Resource naming attribute:
name
Other resource-related attributes:
- name
- displayName
- description
- info
- edsvaResourceURL
- managedBy
- edsvaPublished
- edsvaApprovalByPrimaryOwnerRequired
- edsvaParentCanonicalName
|
|
Name:
Membership - Access to SharePoint Site
Description:
Specifies entitlement to a SharePoint site via membership in a certain security group. |
Type:
Shared resource entitlement
Rules:
Entitlement target object is a security group that has the edsva-SP-MirrorType attribute set. |
Resource type name:
Access to SharePoint Site
Resource naming attribute:
name
Other resource-related attributes:
- name
- edsva-SP-SiteName
- edsva-SP-SiteURL
- managedBy
- edsvaPublished
- edsvaApprovalByPrimaryOwnerRequired
- edsvaParentCanonicalName
|
|
Name:
Managed By - Owner of Security Group
Description:
Specifies entitlement to the manager or owner role for a security group. |
Type:
Managed resource entitlement
Rules:
Entitlement target object is a security group. |
Resource type name:
Owner of Security Group
Resource naming attribute:
name
Other resource-related attributes:
- displayName
- description
- info
- edsvaResourceURL
- managedBy
- edsvaPublished
- edsvaApprovalByPrimaryOwnerRequired
- edsvaParentCanonicalName
|
|
Name:
Managed By - Owner of Distribution List
Description:
Specifies entitlement to the manager or owner role for a distribution group. |
Type:
Managed resource entitlement
Rules:
Entitlement target object is an Exchange mail enabled (distribution) group. |
Resource type name:
Owner of Distribution List
Resource naming attribute:
displayName
Other resource-related attributes:
- displayName
- mail
- description
- info
- managedBy
- edsvaPublished
- edsvaApprovalByPrimaryOwnerRequired
- edsvaParentCanonicalName
|
|
Name:
Managed By - Owner of Resource Exchange Mailbox
Description:
Specifies entitlement to the owner role for a room, equipment, or shared mailbox. |
Type:
Managed resource entitlement
Rules:
Entitlement target object is a user account associated with a room, equipment or shared mailbox. |
Resource type name:
Owner of Resource Exchange Mailbox
Resource naming attribute:
displayName
Other resource-related attributes:
- displayName
- edsva-MsExch-MailboxTypeDescription
- mail
- description
- homeMDB
- edsvaParentCanonicalName
|
|
Name:
Managed By - Owner of Exchange Contact
Description:
Specifies entitlement to the owner role for an Exchange mail contact. |
Type:
Managed resource entitlement
Rules:
Entitlement target object is an Exchange mail contact. |
Resource type name:
Owner of Exchange Contact
Resource naming attribute:
displayName
Other resource-related attributes:
- displayName
- givenName
- sn
- mail
- telephoneNumber
- company
- edsvaParentCanonicalName
|
|
Name:
Managed By - Owner of Computer
Description:
Specifies entitlement to the manager or owner role for a computer. |
Type:
Managed resource entitlement
Rules:
Entitlement target object is a computer account. |
Resource type name:
Owner of Computer
Resource naming attribute:
name
Other resource-related attributes:
- name
- dNSHostName
- description
- operatingSystem
- edsvaParentCanonicalName
|
|
Name:
Managed By - Default
Description:
Default specifier for entitlement to the manager or owner role. |
Type:
Managed resource entitlement
Rules:
No rules specified, which means that any object is regarded as matching the entitlement rules of this specifier.
This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the managed resource entitlement type are evaluated prior to the rules of this specifier. |
Resource type name:
Owner of <target object class display name>
Resource naming attribute:
name
Other resource-related attributes:
- name
- description
- edsvaParentCanonicalName
|
Viewing entitlement profile
A user’s entitlement profile can be accessed from the Active Roles console or Web Interface, allowing you to quickly examine resources to which the user is entitled:
- In the console, right-click the user and click Entitlement Profile. Alternatively, click the Entitlement Profile button on the Managed Resources tab in the Properties dialog box for the user account.
- In the Web Interface, click the user, and then choose Entitlement Profile from the list of commands.
This opens the Entitlement Profile page that lists the user’s resources grouped in expandable blocks by resource type. Each block may be a section that represents a single resource, or it may comprise a number of sections each of which represents a single resource. The grouping of sections occurs for resources of the same type. For example, the security groups in which the user has membership may be grouped together in a single block, with each group being represented by a separate section.
Initially, each block or section displays only a heading that includes the following items:
- Resource icon Graphics that helps distinguish the type of the resource.
- Resource type Text string that identifies the type of the resource.
- Resource name Text string that identifies the name of the resource, or indicates that the block comprises multiple resource-specific sections.
To view resource details, click the heading of a block or section.
Out of the box, Active Roles is configured so that a user’s entitlement profile displays the user’s entitlements to the resources listed in the table that follows. Active Roles administrators can configure the entitlement profile to display information about additional resources. If a user is not entitled to any resources of a particular type, then the user’s entitlement profile does not contain the sections specific to that resource type. For example, if a user does not have an Exchange mailbox, then the user’s entitlement profile does not contain information about the user’s mailbox.
Table 95: User resources
|
Exchange Mailbox |
E-mail address of mailbox |
- E-mail address
- Mailbox store or database location
- Mailbox user’s display name
|
|
Home Folder |
Path and name of home folder |
- Path and name of home folder
- Drive letter assigned to home folder
|
|
Unix-enabled Account |
User principal name |
- User principal name
- Unix user ID (UID)
- Unix primary group ID (GID)
- Unix home directory
- Unix login shell
|
|
Enabled for Office Communications Server |
Live communications address |
- Live communications address
- Office Communications server or pool
|
|
Member of Security Group |
Group name |
- Group name
- Group display name
- Group description
- Group notes
- Resource address (URL)
- Group’s "Managed By" setting
- Group’s "Is Published" setting
- Group’s "Approval by Primary Owner Required" setting
- Group location ("In Folder" setting)
|
|
Access to SharePoint Site |
Group name |
- Group name
- SharePoint site name
- SharePoint site address (URL)
- Group’s "Managed By" setting
- Group’s "Is Published" setting
- Group’s "Approval by Primary Owner Required" setting
- Group location (group’s "In Folder" setting)
|
|
Owner of Security Group |
Group name |
- Group name
- Group display name
- Group description
- Group notes
- Resource address (URL)
- Group’s "Managed By" setting
- Group’s "Is Published" setting
- Group’s "Approval by Primary Owner Required" setting
- Group location ("In Folder" setting)
|
|
Owner of Distribution List |
Group display name |
- Group display name
- Group e-mail address
- Group description
- Group notes
- Group’s "Managed By" setting
- Group’s "Is Published" setting
- Group’s "Approval by Primary Owner Required" setting
- Group location ("In Folder" setting)
|
|
Owner of Resource Exchange Mailbox |
Mailbox display name |
- Mailbox display name
- Mailbox type
- E-mail address
- Mailbox store or database location
- Mailbox description
- Mailbox location ("In Folder" setting)
|
|
Owner of Exchange Contact |
Contact display name |
- Display name
- First name
- Last name
- E-mail address
- Telephone number
- Company
- Location ("In Folder" setting)
|
|
Owner of Computer |
Computer name |
- Computer name
- Computer DNS name
- Computer description
- Operating system
- Location ("In Folder" setting)
|
|
Owner of Resource (default) |
Managed object’s name |
- Managed object’s name
- Managed object’s description
- Managed object’s location ("In Folder" setting)
|
Authorizing access to entitlement profile
By default, permission to view the entitlement profile is given to Active Roles Admin, the administrative account or group specified during Active Roles installation. Other users or groups can also be permitted to view the entitlement profile. A dedicated Access Template is provided for this purpose so that you can allow the use of the Entitlement Profile command by designated users or user groups.
To permit particular users or groups to view the entitlement profile of the users held in a certain container, such as an organizational unit or a Managed Unit, apply the Access Template as follows.
To authorize access to the entitlement profile
- In the Active Roles console, right-click the container and click Delegate Control to display the Active Roles Security window.
- In the Active Roles Security window, click Add to start the Delegation of Control wizard.
- In the wizard, click Next.
- On the Users or Groups page, click Add, and then select the desired users or groups.
- Click Next.
- On the Access Templates page, expand the Active Directory | Advanced folder, and then select the check box next to Users - View Entitlement Profile (Extended Right).
- Click Next and follow the instructions in the wizard, accepting the default settings.
After you complete these steps, the users and groups you selected in Step 4 are authorized to view the entitlement profile of the users held in the container you selected in Step 1, as well as in any sub-container of that container.
Recycle Bin
