Deprovisioning is, by default, a right of Active Roles Admin, the administrative account specified during Active Roles installation, but the task of deprovisioning can be delegated to any group or user. A dedicated Access Template is provided for this purpose so that you can delegate the use of the Deprovision command without delegating the create or delete operation.
To delegate the Deprovision task
- In the Active Roles console, right-click the container and click Delegate Control to display the Active Roles Security window.
- In the Active Roles Security window, click Add to start the Delegation of Control wizard. Click Next.
- On the Users or Groups page, click Add, and then select the users or groups to which you want to delegate the deprovision task. Click Next.
- On the Access Templates page, expand the Active Directory folder and then do the following:
- To delegate the task of deprovisioning users, select the check box next to Users - Perform Deprovision Tasks.
- To delegate the task of deprovisioning groups, select the check box next to Groups - Perform Deprovision Tasks.
- Click Next and follow the instructions in the wizard, accepting the default settings.
After you complete these steps, the users and groups you selected in Step 3 are authorized to deprovision users or groups in the container you selected in Step 1, as well as in any sub-container of that container.