Introduction
About Active Roles
Technical overview
Getting Started
Presentation components
Active Roles console (MMC Interface)
Web Interface
Custom Interfaces
Active Roles ADSI Provider
Reporting
Service components
Network data sources
Security and administration elements
Access Templates for role-based administration
Policy Objects to enforce corporate rules
Managed Units to provide administrative views
Active Directory security management
Customization using ADSI Provider and script policies
Dynamic groups
Workflows
Operation in multi-forest environments
Starting the Active Roles console
User Interface overview
View mode
Using Managed Units
Setting up filter
Finding objects
Rule-based Administrative Views
Steps for searching for a user, contact, or group
Steps for searching for a computer
Steps for searching for an Organizational Unit
Steps for using advanced search options
Steps for building a custom search
LDAP syntax
Getting policy-related information
About Managed Units
Administering Managed Units
Role-based Administration
Creating a Managed Unit
Scenario: Implementing role-based administration across multiple OUs
Steps for creating a Managed Unit
Steps for modifying Managed Unit properties
Steps for modifying permission settings on a Managed Unit
Steps for modifying policy settings on a Managed Unit
Displaying members of a Managed Unit
Adding or removing members from a Managed Unit
Steps for adding membership rules to a Managed Unit
Steps for removing membership rules from a Managed Unit
Steps for including a member to a Managed Unit
Steps for excluding a member from a Managed Unit
Steps for adding group members to a Managed Unit
Steps for removing group members from a Managed Unit
Copying a Managed Unit
Exporting and importing a Managed Unit
Renaming a Managed Unit
Deleting a Managed Unit
Step 1: Creating the Managed Unit
Step 2: Adding users to the Managed Unit
Step 3: Preparing the Access Template
Step 4: Applying the Access Template
Deployment considerations
Access Templates as administrative roles
Access Template management tasks
Rule-based AutoProvisioning and Deprovisioning
Using predefined Access Templates
Creating an Access Template
Examples of use
Add Permission Entries wizard
Full Control access
Object access
Object property access
Creation/Deletion of child objects permission
Steps for creating an Access Template
Applying Access Templates
Managing Access Template links
Synchronizing permissions to Active Directory
Steps for synchronizing permissions to Active Directory
Managing Active Directory permission entries
Adding, modifying, or removing permissions
Steps for adding permissions to an Access Template
Steps for modifying permissions in an Access Template
Steps for removing permissions from an Access Template
Nesting Access Templates
Copying an Access Template
Exporting and importing Access Templates
Renaming an Access Template
Deleting an Access Template
Scenario 1: Implementing a Help Desk
Deployment considerations
Step 1: Preparing a Help Desk Access Template
Step 2: Creating a Help Desk group
Step 3: Applying the Help Desk Access Template
Scenario 2: Implementing Self-administration
Delegation of Organizational Unit administration
Delegation of group administration
Delegation in a functional vs. hosted environment
Windows claims-based Access Rules
Understanding Access Rules
Managing Windows claims
Enabling claim support
Claim Type management overview
Managing and applying Access Rules
Deploying an Access Rule (demonstration steps)
Source attribute setting
Claim type identifier setting
Display name setting
Description setting
User or computer claim issuance setting
Protection from accidental deletion
Suggested values setting
Steps for managing Claim Types
Populating claim source attributes
About Policy Objects
Policy Object management tasks
Workflows
Creating a Policy Object
Adding, modifying, or removing policies
Policy configuration tasks
Steps for adding policies to a Policy Object
Steps for modifying policies in a Policy Object
Steps for removing policies from a Policy Object
Applying Policy Objects
Adding Managed Units or containers to policy scope
Adding Policy Objects to policy list for directory object
Steps for applying a Policy Object
Managing policy scope
Copying a Policy Object
Renaming a Policy Object
Exporting and importing Policy Objects
Deleting a Policy Object
Property Generation and Validation
Deployment considerations
Checking for policy compliance
Deprovisioning users or groups
How this policy works
How to configure a Property Generation and Validation policy
User Logon Name Generation
Entry type: Text
Entry type: <Object> Property
Entry type: Parent OU Property
Entry type: Parent Domain Property
Entry type: Mask
Steps for configuring a Property Generation and Validation policy
Steps for configuring entries
Scenario 1: Using mask to control phone number format
Scenario 2: Using regular expressions to control phone number format
How this policy works
How to configure a User Logon Name Generation policy
Steps for configuring a User Logon Name Generation policy
Scenario 1: Using uniqueness number
Scenario 2: Using multiple rules
Group Membership AutoProvisioning
How this policy works
How to configure a Group Membership AutoProvisioning policy
Steps for configuring a Group Membership AutoProvisioning policy
Scenario: Adding users to a specified group
E-mail Alias Generation
How this policy works
How to configure an E-mail Alias Generation policy
Steps for configuring an E-mail Alias Generation policy
Scenario: Generating e-mail alias based on user names
Exchange Mailbox AutoProvisioning
How this policy works
How to configure an Exchange Mailbox AutoProvisioning policy
Steps for configuring an Exchange Mailbox AutoProvisioning policy
Scenario: Mailbox store load balancing
Default creation options for Exchange mailbox
Home Folder AutoProvisioning
How this policy works
Script Execution
Creating home folders and shares when creating user accounts
Renaming home folders when renaming user accounts
Option to prevent operation on file server
How to configure a Home Folder AutoProvisioning policy
Connect <Drive Letter> To <Network Path>
Enforce this home folder setting in Active Directory
Apply this home folder setting when user account is created
Apply this home folder setting when user account is renamed
Create or rename home folder on file server as needed
Copy user permissions on home folder from parent folder
Set user as home folder owner
Set user permissions on home folder
Steps for configuring a Home Folder AutoProvisioning policy
Using the built-in policy for home folder provisioning
Configuring the Home Folder Location Restriction policy
Scenario: Creating and assigning home folders
How this policy works
How to configure Script Execution policy
Steps for configuring a Script Execution policy
Scenario: Restricting group scope
User Account Deprovisioning
How this policy works
How to configure a User Account Deprovisioning policy
Group Membership Removal
Configuring a property update rule
Entry type: Date and Time
Entry type: Initiator ID
Configuring a custom rule to build the Initiator ID
Steps for configuring a User Account Deprovisioning policy
Scenario 1: Disabling and renaming the user account upon deprovisioning
Scenario 2: Managed Unit for deprovisioned user accounts
How this policy works
How to configure a Group Membership Removal policy
Steps for configuring a Group Membership Removal policy
Scenario: Removing deprovisioned users from all groups
Exchange Mailbox Deprovisioning
How this policy works
How to configure an Exchange Mailbox Deprovisioning policy
Steps for configuring an Exchange Mailbox Deprovisioning policy
Scenario: Hide mailbox and forward e-mail to manager
Home Folder Deprovisioning
How this policy works
How to configure a Home Folder Deprovisioning policy
Steps for configuring a Home Folder Deprovisioning policy
Scenario: Removing access to home folder
User Account Relocation
How this policy works
How to configure a User Account Relocation policy
Steps for configuring a User Account Relocation policy
Scenario: Organizational Unit for deprovisioned user accounts
User Account Permanent Deletion
How this policy works
How to configure a User Account Permanent Deletion policy
Steps for configuring a User Account Permanent Deletion policy
Scenario: Deleting deprovisioned user accounts
Group Object Deprovisioning
How this policy works
How to configure a Group Object Deprovisioning policy
Steps for configuring a Group Object Deprovisioning policy
Scenario 1: Disabling and renaming the group upon deprovisioning
Scenario 2: Managed Unit for deprovisioned groups
Group Object Relocation
How this policy works
How to configure a Group Object Relocation policy
Steps for configuring a Group Object Relocation policy
Scenario: Organizational Unit for deprovisioned groups
Group Object Permanent Deletion
How this policy works
How to configure a Group Object Permanent Deletion policy
Steps for configuring a Group Object Permanent Deletion policy
Scenario: Deleting deprovisioned groups
Notification Distribution
How this policy works
How to configure a Notification Distribution policy
Configuring e-mail settings
Steps for configuring a Notification Distribution policy
Scenario: Sending deprovisioning notification
Report Distribution
Default deprovisioning options
Delegating the Deprovision task
Using the Deprovision command
Report on deprovisioning results
Restoring deprovisioned users or groups
Report contents
Report section: User Account Deprovisioning
Report section: Group Membership Removal
Report section: Exchange Mailbox Deprovisioning
Report section: Home Folder Deprovisioning
Report section: User Account Relocation
Report section: User Account Permanent Deletion
Report section: Group Object Deprovisioning
Report section: Group Object Relocation
Report section: Group Object Permanent Deletion
Report section: Notification Distribution
Report section: Report Distribution
Policy options to undo user deprovisioning
Delegating the task to undo deprovisioning
Using the Undo Deprovisioning command
Report on results of undo deprovisioning
Container Deletion Prevention policy
Picture management rules
Policy extensions
Report contents
Report section: Undo User Account Deprovisioning
Report section: Undo Group Membership Removal
Report section: Undo Exchange Mailbox Deprovisioning
Report section: Undo Home Folder Deprovisioning
Report section: Undo User Account Relocation
Report section: Undo User Account Permanent Deletion
Report section: Undo Group Object Deprovisioning
Report section: Undo Group Object Relocation
Report section: Undo Group Object Permanent Deletion
Understanding workflow
Temporal Group Memberships
Group Family
Key features and definitions
Workflow activities overview
Workflow
Workflow definition
Workflow start conditions
Workflow instance
Workflow activity
Workflow Designer
Workflow engine
E-mail Notifications
About workflow processes
Workflow processing overview
Approval activity
Notification activity
Script activity
If-Else activity
Stop/Break activity
Add Report Section activity
Search activity
Configuring a workflow
Search scenario
Object type
Search scope
Search options
Search for inactive accounts
Search filter
Notification
Error handling
“Run as” options
Additional settings
Stop Search activity
CRUD activities
“Create” activity
“Update” activity
“Add to group” activity
“Remove from group” activity
“Move” activity
“Deprovision” activity
“Undo deprovision” activity
“Delete” activity
Activity target
Notification
Error handling
“Run as” options
Additional settings
Save Object Properties activity
Modify Requested Changes activity
Creating a workflow definition
Configuring workflow start conditions
Configuring workflow parameters
Adding activities to a workflow
Configuring an Approval activity
Example: Approval workflow
Configure approvers
Configure escalation
Configure request for additional information
Configure request for review
Customize the header of the approval task page
Customize approval action buttons
Configuring a Notification activity
Configuring a Script activity
Configuring an If-Else activity
Configuring a Stop/Break activity
Configuring an Add Report Section activity
Configuring a Search activity
Configure scope and filter
Configure notification
Configure error handling
Configure “run as” options
Configure additional settings
Configuring CRUD activities
“Create” activity
“Update” activity
“Add to group” activity
“Remove from group” activity
“Move” activity
“Deprovision” activity
“Undo deprovision” activity
“Delete” activity
Configuring notification
Configuring error handling
Configuring “run-as” options
Configuring additional settings
Configuring a Save Object Properties activity
Configuring a Modify Requested Changes activity
Enabling or disabling an activity
Enabling or disabling a workflow
Using the initialization script
Definition of terms
E-mail based approval
Approval
Approval rule (Approval activity)
Approval task
Approver
Initiator (requestor)
Notification
Operation
Operation target object
How it works
Creating and configuring an approval workflow
Integration with Microsoft Outlook
Integration with non-Outlook e-mail clients
E-mail transport via Exchange Web Services
Automation workflow
Automation workflow options and start conditions
Activity extensions
Run the workflow on a schedule
Allow the workflow to be run on demand
“Run as” options
Additional settings
Parameters
Initialization script
Using automation workflow
Creating an automation workflow definition
Configuring start conditions for an automation workflow
Adding activities to an automation workflow
Running an automation workflow on demand
Viewing run history of an automation workflow
Terminating a running automation workflow
Disabling an automation workflow from running
Re-enabling an automation workflow to run
Delegating automation workflow tasks
Understanding Group Family
Creating a Group Family
Dynamic Groups
Start the New Group Family wizard
Name the Group Family
Grouping Options
Location of managed objects
Selection of managed objects
Group-by properties
Capture existing groups manually
Group naming rule
Group type and scope
Location of groups
Exchange-related settings
Group Family scheduling
Steps for creating a Group Family
Administering Group Family
Controlled groups
General tab
Controlled Groups tab
Groupings tab
Schedule tab
Action Summary tab
Steps for administering a Group Family
Scenario: Departmental Group Family
Understanding dynamic groups
Dynamic groups policy options
Managing dynamic groups
Active Roles Reporting
Converting a basic group to a dynamic group
Displaying the members of a dynamic group
Adding a membership rule to a dynamic group
Removing a membership rule from a dynamic group
Converting a dynamic group to a basic group
Modifying, renaming, or deleting a dynamic group
Scenario: Automatically moving users between groups
Introduction
Collector to prepare data for reports
Management History
Starting the Active Roles Collector wizard
Collecting data from the network
Processing gathered events
Importing events from an earlier database version
Deploying reports to the Report Server
Working with reports
Configuring the data source
Generating and viewing a report
Contents of the Active Roles Report Pack
Active Directory Assessment/Domains
Active Directory Assessment/Users/Account Information
Active Directory Assessment/Users/Exchange
Active Directory Assessment/Users/Obsolete Accounts
Active Directory Assessment/Users/Miscellaneous Information
Active Directory Assessment/Groups
Active Directory Assessment/Group Membership
Active Directory Assessment/Organizational Units
Active Directory Assessment/Other Directory Objects
Active Directory Assessment/Potential Issues
Active Roles Tracking Log/Active Directory Management
Active Roles Tracking Log/Dashboard
Active Roles Events
Active Roles Configuration Changes
Active Roles Workflow
Administrative Roles
Managed Units
Policy Objects
Policy Compliance
Understanding Management History
Management History configuration
Entitlement Profile
Change-tracking policy
Change Tracking log configuration
Replication of Management History data
Viewing change history
Replication is not yet configured
Replication is already configured
Re-configuring replication of Management History data
Centralized Management History storage
Workflow activity report sections
Examining user activity
“Approval” activity
“Script” activity
“Stop/Break” activity
“Add Report Section” activity
“Create” activity
“Update” activity
“Add to group” activity
“Remove from group” activity
“Move” activity
“Deprovision” activity
“Undo deprovision” activity
“Delete” activity
Policy report items
Report section: Executing the 'User Logon Name Generation' policy
Report section: Executing the 'E-mail Alias Generation' policy
Report section: Executing the 'Exchange Mailbox AutoProvisioning' policy
Report section: Executing the 'Group Membership AutoProvisioning' policy
Report section: Executing the 'Home Folder AutoProvisioning' policy
Report section: Executing the 'Property Generation and Validation' policy
Report section: Executing policy script 'name'
Active Roles internal policy report items
Report section: Creating user mailbox
Report section: Creating linked mailbox
Report section: Creating equipment mailbox
Report section: Creating room mailbox
Report section: Creating shared mailbox
Report section: Moving mailbox
Report section: Deleting mailbox
Report section: Removing Exchange attributes
Report section: Enabling mailbox for Unified Messaging
Report section: Disabling Unified Messaging for mailbox
Report section: Resetting Unified Messaging PIN
Report section: Establishing e-mail address for group
Report section: Creating query-based distribution group
Report section: Establishing e-mail address for user
Report section: Establishing e-mail address for contact
Report section: Deleting e-mail address for group
Report section: Deleting e-mail address for user
Report section: Deleting e-mail address for contact
Report section: Converting user mailbox to linked mailbox
Report section: Converting linked mailbox to user mailbox
Understanding entitlement profile
Entitlement profile configuration
Recycle Bin
Creating entitlement profile specifiers
Changing entitlement profile specifiers
Pre-defined specifiers
Viewing entitlement profile
Understanding Recycle Bin
Finding and listing deleted objects
Restoring a deleted object
Delegating operations on deleted objects
Applying policy or workflow rules
AD LDS Data Management
Registering an AD LDS instance
Managing AD LDS objects
Managing Configuration of Active Roles
Adding an AD LDS user to the directory
Adding an AD LDS group to the directory
Adding or removing members from an AD LDS group
Disabling or enabling an AD LDS user account
Setting or modifying the password of an AD LDS user
Adding an organizational unit to the directory
Adding an AD LDS proxy object (user proxy)
Configuring Active Roles for AD LDS
Connecting to the Administration Service
Adding and removing managed domains
Using unmanaged domains
Evaluating product usage
Using regular expressions
Administrative Template
Viewing product usage statistics
Scheduled task to count managed objects
Managed scope to control product usage
Voluntary thresholds for the managed object count
Installation label
Configuring replication
Understanding the replication model
Configuring SQL Server
Creating a replication group
Adding members to a replication group
Removing members from a replication group
Monitoring replication
Using AlwaysOn Availability Groups
Using database mirroring
Creating and using virtual attributes
Examining client sessions
Monitoring performance
Customizing the console
“Other Properties” page in object creation wizard
“Other Properties” tab in the Properties dialog box
Customizing object display names
Using Configuration Center
Configuration Center design elements
Configuring a local or remote Active Roles instance
Running Configuration Center
Tasks you can perform in Configuration Center
Changing the Active Roles Admin account
Enabling or disabling diagnostic logs
Active Roles Log Viewer
Initial configuration tasks
Administration Service management tasks
View the core Administration Service settings
Change the core Administration Service settings
Import configuration data
Import management history data
View the state of the Administration Service
Start, stop or restart the Administration Service
Web Interface management tasks
Identify Web Interface sites
Create a Web Interface site
Modify a Web Interface site
Delete a Web Interface site
Export a Web Interface site’s configuration object to a file
Logging management tasks
Active Roles snap-in settings
Administration Service auto-connect settings
Communication ports
'Allowed Servers for Auto-connect' setting
'Disallowed Servers for Auto-connect' setting
'Additional Servers for Auto-connect' setting
Loading the Administrative Template
Access to the managed environment
Access to DNS servers
Access to domain controllers
Access to Exchange servers
Computer resource management
Computer restart
Home folder provisioning and deprovisioning
Access to SMTP server for e-mail integration
Access to AD LDS instances
Access to SMTP server for e-mail integration
Access to Active Roles Administration Service
Access to Web Interface
Object property access
Role-based Administration > Access Template management tasks > Creating an Access Template > Object property access
Permissions in this category provide for administrative operations on object properties for objects of the classes that you selected in the previous step of the Add Permission Entries wizard.
When you select Object property access, you specify access to object properties. You can select Read properties and Write properties, as shown in the following figure.
After you click Next, the wizard displays a page where you can select the properties to which you want the permission to allow (or deny) access. The page is similar to the following figure.
On that page, you can select one of the following options:
- All properties With this option, the permission controls access to all properties.
- The following properties With this option, the permission controls access to the properties you select from the list by selecting the appropriate check boxes.
|
|
NOTE: By default, all object properties are not displayed in the list. To display all object properties, select the Show all possible properties check box. |
After you have selected the properties you want, click Finish to complete the Add Permission Entries wizard. The permission is added to the Access Template.
Creation/Deletion of child objects permission
Role-based Administration > Access Template management tasks > Creating an Access Template > Creation/Deletion of child objects permission
Permissions in this category provide for creation and deletion of child objects in container objects of the classes you selected in the previous step of the Add Permission Entries wizard.
When you select Creation/Deletion of child objects, you specify the creation, deletion, and move operations you want the permission to allow (or deny). The list of operations looks as shown in the following figure.
You can select the following operations:
- Create child objects Controls the creation of child objects of the classes you select in the next step.
- Delete child objects Controls the deletion of child objects of the classes you select in the next step.
- Move objects into this container Controls the relocation of object of the classes you select in the next step. This operation assumes moving objects from one container to another without permission to delete existing objects or create new objects.
After you click Next, the wizard displays the page where you can select the types of objects on which you want the permission to allow (or deny) the operations you selected in the previous step. The page is similar to the following figure.
On that page, you select the types of objects for which you want the permission to allow (or deny) the creation, deletion, or move operation. You can select one of these options:
- Child objects of any class With this option, the permission controls the operations on objects of any type.
- Child objects of the following classes With this option, the permission controls the operations on objects of the type you select from the list by selecting the appropriate check boxes.
|
|
NOTE: By default, all object classes are not displayed in the list. To display all object classes, select the Show all possible classes check box. |
After you have selected the object classes, click Finish to complete the Add Permission Entries wizard. The permission is added to the Access Template.
Steps for creating an Access Template
Role-based Administration > Access Template management tasks > Creating an Access Template > Steps for creating an Access Template
To create an Access Template
- In the console tree, under Configuration | Access Templates, locate and select the folder in which you want to add the Access Template.
You can create a new folder as follows: Right-click Access Templates and select New | Access Template Container. Similarly, you can create a sub-folder in a folder: Right-click the folder and select New | Access Template Container.
- Right-click the folder, and select New | Access Template to start the New Object - Access Template wizard.
- On the first page of the wizard, do the following, and then click Next:
- In the Name box, type a name for the Access Template.
- In the Description box, type any optional information about the Access Template.
- On the second page of the wizard, configure the list of permission entries, and then click Next.
The instructions on how to add, modify, or delete permission entries are given later in this topic.
- Click Finish to create the Access Template that includes the permission entries you have specified.
To add a permission entry to an Access Template
- On the page that displays a list of permission entries included in the Access Template, click Add to start the Add Permission Entries wizard.
- On the first page of the wizard, select one of these options:
- All object classes The rights defined by this permission entry apply to objects of any class.
- Only the following classes The rights defined by this permission entry apply to objects of specific classes. Select object classes from the list. If the list does not include the object class you want, select Show all possible classes.
- Click Next.
- On the second page of the wizard, select one of these options:
- Full control access The rights to create or delete child objects, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with any extended right. This option does not have any configuration parameters.
- Object access The rights to exercise certain generic permissions and extended rights on the objects. Select permissions and extended rights from the list to configure this option as appropriate.
- Object property access The rights to read or write certain properties of the object. Select check boxes to configure this option as appropriate: Read properties, Write properties. On the next page of the wizard, you can select the properties you want to be controlled by this permission entry.
- Creation/Deletion of child objects The rights to create or delete child objects of the object. Select check boxes to configure this option as appropriate: Create child objects, Delete child objects, Move objects into this container. On the next page of the wizard, you can specify the class or classes of child object you want to be controlled by this permission entry.
- If you want the Access Template to deny the rights defined by this permission entry, select the Deny permission check box. Otherwise, leave the check box cleared.
- Do the following, depending on the option you selected and configured in Step 4:
- Full control access or Object access Click Finish to add the permission entry to the Access Template.
- Object property access or Creation/Deletion of child objects Click Next to continue configuring the option.
- On the third page of the wizard, continue configuring the option you selected in Step 4, and then click Finish to add the permission entry to the Access Template:
- If you selected Object property access, select the properties to be controlled by this permission entry. You have two options: All properties and The following properties. With the second option, you must select properties from the list. If the list does not include the property you want, select Show all possible properties.
- If you selected Creation/Deletion of child objects, specify the class or classes of child object to be controlled by this permission entry. You have two options: Child objects of any class and Child objects of the following classes. With the second option, you must select one or more object classes from the list. If the list does not include the object class you want, select Show all possible classes.
To view or modify a permission entry in an Access Template
- On the page that displays a list of permission entries included in the Access Template, select the permission entry you want to view or modify, and click View/Edit to display the Modify Permission Entry dialog box.
- Examine the Apply Onto tab in the Modify Permission Entry dialog box. On this tab, you can view or modify the same settings as on the first page of the Add Permission Entries wizard (see Step 2 in the procedure above).
- Examine the Permissions tab in the Modify Permission Entry dialog box. This tab provides the same options as the second page of the Add Permission Entries wizard (see Step 4 in the procedure above). The options are read-only, so you cannot change the option that was selected upon creation of the permission entry. However, you can manage the configuration of the option:
- Object access Select generic permissions or extended rights you want to add to the Access Template.
- Object property access Select or clear these check boxes: Read properties, Write properties.
- Creation/Deletion of child objects Select or clear these check boxes: Create child objects, Delete child objects, Move objects into this container.
- If you want the Access Template to deny the rights defined by this permission entry, select the Deny permission check box on the Permissions tab. Otherwise, leave the check box cleared.
- If Object property access is selected on the Permissions tab, use the Object Properties tab in the Modify Permission Entry dialog box to view or modify the settings that determine which properties are controlled by this permission entry (see Step 7 in the procedure above).
- If Creation/Deletion of child objects is selected on the Permissions tab, use the Object Classes tab in the Modify Permission Entry dialog box to view or modify the settings that determine which classes of child object are controlled by this permission entry.
To delete a permission entry from an Access Template
- On the page that displays a list of permission entries included in the Access Template, select the permission entry you want to delete, and click Remove.
- Click Yes to confirm the deletion.
Applying Access Templates
Active Roles allows Access Templates to be applied to any objects—administrative views (Managed Units), directory folders (containers), or individual (leaf) objects.
When applying an Access Template to an object, you designate a Trustee (user or group) and assign permissions to the Trustee for that object. As a result, the Trustee gets access to the object according to permissions defined in the Access Template.
For example, two assistants of a directory administrator might be delegated full control of different domains; Help Desk might be assigned the administrative role to reset passwords.
|
|
NOTE: When you apply Access Templates to a folder, you can configure the permission settings to propagate from the folder to its child objects, down the directory structure. |
To apply an Access Template, you need to start and complete the Delegation of Control wizard.
You can start the Delegation of Control wizard from any of the following points:
- Access Template Right-click the Access Template, click Links, and then click the Add button. Access Templates are located in the Configuration/Access Templates container.
When started in this way, the wizard allows you to select directory objects where to apply the Access Template and Trustees for those objects.
- Securable object Depending on whether the object is a container or leaf object, do one of the following:
- For a container or a Managed Unit, right-click it, click Delegate Control, and then click the Add button.
- For a leaf object, display the Properties dialog box, go to the Administration tab, click the Security button, and then click the Add button.
When started in this way, the wizard allows you to select Trustees for the object and Access Templates to define the Trustees’ rights to the object.
- Security principal (Trustee) Right-click the group or user you want to designate as a Trustee, click Delegated Rights, and then click the Add button.
When started in this way, the wizard allows you to select objects for which you want to designate the Trustee and Access Templates to define the Trustees’ rights to those objects.
You can also start the Delegation of Control wizard from the advanced details pane (ensure that Advanced Details Pane is checked on the View menu):
- Select an Access Template, right-click a blank area on the Links tab, and then click Add.
When started in this way, the wizard allows you to select directory objects where to apply the Access Template and Trustees for those objects.
- Select a directory object (securable object), right-click a blank area on the Active Roles Security tab, and then click Add.
When started in this way, the wizard allows you to select Trustees for the object and Access Templates to define the Trustees’ rights to the object.
The rest of this section provides instructions on how to complete the Delegation of Control wizard, assuming that you start the wizard from the object of which control you want to delegate (securable object). For instructions on how to complete the wizard in the other cases, see Steps for applying an Access Template later in this chapter.
If you start Delegation of Control wizard from a securable object, clicking Next on the Welcome page displays the Users or Groups page, shown in the following figure.
Figure 16: Delegation of control - Users or Groups
On the Users or Groups page, click Add to display the Select Objects dialog box where you can select groups or users to be designated as Trustees. Type or select the names of the users or groups you want to add to the list, and then click OK.
After you have completed the list on the Users or Groups page, click Next. This displays the Access Templates page, shown in the following figure.
Figure 17: Delegation of control - Access Templates
On the Access Templates page, expand containers that hold Access Templates, and select check boxes next to the names of the Access Templates you want to apply.
When you are done with selecting Access Templates, click Next. This displays the Inheritance Options page, shown in the following figure.
Figure 18: Delegation of Control - Inheritace Options
On the Inheritance Options page, you can select the following options to control inheritance of permissions:
- This directory object Ensures that the Trustees have administrative rights to the securable object itself.
- Child objects of this directory object Ensures that the Trustees have administrative rights to the child objects of securable object, down the directory structure.
- Immediate child objects only Limits the Trustees’ rights to only immediate child objects of the securable object.
By default, the first two options are selected.
Click Next. This displays the Permissions Propagation page where you can select the Propagate permissions to Active Directory check box. If you do so, the permission settings you are configuring are synchronized to Active Directory. As a result, the Trustees may also exercise their rights outside the Active Roles environment, thus incurring a potential risk of bypassing policies configured and enforced with Active Roles. Therefore, you should use this option carefully.
By default, the Propagate permissions to Active Directory check box is cleared. If you choose to select it, you can change this setting at any time by using the Sync to AD button in the Active Roles Security window or Sync to AD command in the advanced details pane (see Synchronizing permissions to Active Directory later in this chapter).
Click Next, and then click Finish to complete the wizard.