Permissions in this category provide for administrative operations on object properties for objects of the classes that you selected in the previous step of the Add Permission Entries wizard.
When you select Object property access, you specify access to object properties. You can select Read properties and Write properties, as shown in the following figure.
After you click Next, the wizard displays a page where you can select the properties to which you want the permission to allow (or deny) access. The page is similar to the following figure.
On that page, you can select one of the following options:
|
NOTE: By default, all object properties are not displayed in the list. To display all object properties, select the Show all possible properties check box. |
After you have selected the properties you want, click Finish to complete the Add Permission Entries wizard. The permission is added to the Access Template.
Permissions in this category provide for creation and deletion of child objects in container objects of the classes you selected in the previous step of the Add Permission Entries wizard.
When you select Creation/Deletion of child objects, you specify the creation, deletion, and move operations you want the permission to allow (or deny). The list of operations looks as shown in the following figure.
You can select the following operations:
After you click Next, the wizard displays the page where you can select the types of objects on which you want the permission to allow (or deny) the operations you selected in the previous step. The page is similar to the following figure.
On that page, you select the types of objects for which you want the permission to allow (or deny) the creation, deletion, or move operation. You can select one of these options:
|
NOTE: By default, all object classes are not displayed in the list. To display all object classes, select the Show all possible classes check box. |
After you have selected the object classes, click Finish to complete the Add Permission Entries wizard. The permission is added to the Access Template.
To create an Access Template
You can create a new folder as follows: Right-click Access Templates and select New | Access Template Container. Similarly, you can create a sub-folder in a folder: Right-click the folder and select New | Access Template Container.
The instructions on how to add, modify, or delete permission entries are given later in this topic.
To add a permission entry to an Access Template
To view or modify a permission entry in an Access Template
To delete a permission entry from an Access Template
Active Roles allows Access Templates to be applied to any objects—administrative views (Managed Units), directory folders (containers), or individual (leaf) objects.
When applying an Access Template to an object, you designate a Trustee (user or group) and assign permissions to the Trustee for that object. As a result, the Trustee gets access to the object according to permissions defined in the Access Template.
For example, two assistants of a directory administrator might be delegated full control of different domains; Help Desk might be assigned the administrative role to reset passwords.
|
NOTE: When you apply Access Templates to a folder, you can configure the permission settings to propagate from the folder to its child objects, down the directory structure. |
To apply an Access Template, you need to start and complete the Delegation of Control wizard.
You can start the Delegation of Control wizard from any of the following points:
When started in this way, the wizard allows you to select directory objects where to apply the Access Template and Trustees for those objects.
When started in this way, the wizard allows you to select Trustees for the object and Access Templates to define the Trustees’ rights to the object.
When started in this way, the wizard allows you to select objects for which you want to designate the Trustee and Access Templates to define the Trustees’ rights to those objects.
You can also start the Delegation of Control wizard from the advanced details pane (ensure that Advanced Details Pane is checked on the View menu):
When started in this way, the wizard allows you to select directory objects where to apply the Access Template and Trustees for those objects.
When started in this way, the wizard allows you to select Trustees for the object and Access Templates to define the Trustees’ rights to the object.
The rest of this section provides instructions on how to complete the Delegation of Control wizard, assuming that you start the wizard from the object of which control you want to delegate (securable object). For instructions on how to complete the wizard in the other cases, see Steps for applying an Access Template later in this chapter.
If you start Delegation of Control wizard from a securable object, clicking Next on the Welcome page displays the Users or Groups page, shown in the following figure.
Figure 16: Delegation of control - Users or Groups
On the Users or Groups page, click Add to display the Select Objects dialog box where you can select groups or users to be designated as Trustees. Type or select the names of the users or groups you want to add to the list, and then click OK.
After you have completed the list on the Users or Groups page, click Next. This displays the Access Templates page, shown in the following figure.
Figure 17: Delegation of control - Access Templates
On the Access Templates page, expand containers that hold Access Templates, and select check boxes next to the names of the Access Templates you want to apply.
When you are done with selecting Access Templates, click Next. This displays the Inheritance Options page, shown in the following figure.
Figure 18: Delegation of Control - Inheritace Options
On the Inheritance Options page, you can select the following options to control inheritance of permissions:
By default, the first two options are selected.
Click Next. This displays the Permissions Propagation page where you can select the Propagate permissions to Active Directory check box. If you do so, the permission settings you are configuring are synchronized to Active Directory. As a result, the Trustees may also exercise their rights outside the Active Roles environment, thus incurring a potential risk of bypassing policies configured and enforced with Active Roles. Therefore, you should use this option carefully.
By default, the Propagate permissions to Active Directory check box is cleared. If you choose to select it, you can change this setting at any time by using the Sync to AD button in the Active Roles Security window or Sync to AD command in the advanced details pane (see Synchronizing permissions to Active Directory later in this chapter).
Click Next, and then click Finish to complete the wizard.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy