Active Roles 7.2.1 - Access Templates Available out of the Box

Introduction

Active Roles comes with an extensive suite of predefined Access Templates that facilitate the delegation of various administrative tasks. The key goal for Access Templates is to simplify the management of administration related permissions. Active Roles does this by abstracting the low-level permissions on directory objects and managing them as a single unit—Access Template—based on the task that an administrator wants to delegate.

The predefined Access Templates are installed with Active Roles out of the box. These templates allow the Active Roles administrator to delegate the correct level of administrative authority quickly and consistently.

This document provides a comprehensive list of Access Templates that install with Active Roles out of the box.

Access Templates

The predefined Access Templates are grouped by category into the following containers:

• Active Directory  Templates to delegate Active Directory service management and Active Directory data management tasks.
• Azure  Templates to delegate the configuration and management of Azure objects.
• AD LDS (ADAM)  Templates to delegate data management tasks for Microsoft Active Directory Lightweight Directory Services (AD LDS) - an independent mode of Active Directory formerly known as Active Directory Application Mode (ADAM).
• Computer Resources  Templates to delegate the management of computer resources, such as printers or network shares.
• Configuration  Templates to delegate the management of Active Roles configuration objects, such as Policy Objects or Access Templates.
• Exchange  Templates to delegate the management of Exchange recipients, such as mailbox-enabled users or mail-enabled groups.
• Skype for Business Server  Templates to delegate the management of Skype for Business Server users or contacts. Require the Skype for Business Server user management policies to be applied, as described in the Skype for Business Server User Management Administrator Guide for Active Roles Active Roles.
• User Self-management  Templates to delegate self-management tasks to end-users (for instance, allowing end-users to view or change certain properties of their own accounts in the Web Interface).

These containers are located in the Configuration/Access Templates container. Some of these containers include the Advanced sub-container to hold Access Templates with very granular permission specifications.

The tables below group Access Template by category, and include the following information on each Access Template:

• Access Template  Access Template name.
• Description  Tasks that can be delegated with the Access Template.

Active Directory Service Management

You can use Access Templates in this category to delegate management tasks on the directory service. Access Templates are grouped by role for delegating service management as follows:

• Forest Configuration Operators
• Domain Configuration Operators
• Service Admin Managers
• Replication Management Admins
• Replication Monitoring Operators

Engineered by Microsoft, these role recommendations take into account well-defined sets of logically related administrative tasks and the security sensitivity and impact of these tasks (see Best Practices for Delegating Active Directory Administration at http://technet.microsoft.com/en-us/library/cc773318.aspx).

The service management-related Access Templates are located in subfolders of the folder Configuration/Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration, with each subfolder containing the Access Templates specific to a certain role.

To implement a given role, you must apply each of the role-specific Access Templates as specified in the description of the Template. For example, to implement the Forest Configuration Operators role for a certain group, you must select the group as a Trustee and then apply the Access Templates held in the Forest Configuration Operators subfolder.

Forest Configuration Operators

The following is the set of administrative tasks assigned to this role:

• Create a child domain in an existing domain tree
• Demote the last domain controller in a child domain
• Demote the last domain controller in a tree-root domain
• Raise forest functional level
• Create all types of trusts for all domains
• Delete all types of trusts for all domains
• Change the direction of a trust
• Enable/disable name suffix routing (for a given suffix) in a forest
• Reset the trust passwords shared by a trust-pair
• Force the removal of a trust
• Enable/disable SID History on an outbound forest trust
• Enable/disable SID filtering
• Enable selective authentication on an outbound forest/external trust
• Enable/disable placing of name suffix (top level names) information on a realm trust
• Add/remove top-level names from a realm trust
• Add/remove top-level name exclusions from a realm trust
• Modify the transitivity of a realm-trust
• Transfer the domain naming master role
• Seize the domain naming master role
• Manage all LDAP query policy related administrative tasks

To implement the Forest Configuration Operators role, Active Roles offers the following Access Templates, located in the Forest Configuration Operators Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.