This scenario shows how to use an Access Template that allows a Help Desk service to perform day-to-day operations on user accounts, such as resetting passwords, viewing user properties, locking and unlocking user accounts.
The scenario also involves a group to hold Help Desk operators. The Access Template is applied so that the group is designated as a Trustee, thus giving the administrative rights to the Help desk operators. When both the Access Template and group are prepared, you can implement a Help Desk administration in your enterprise.
Suppose you need to authorize the Help Desk to manage user accounts in the Sales organizational unit. To implement this scenario, you should perform the following steps:
As a result of these steps, each member of the Help Desk group is authorized to perform management tasks on user accounts in the Sales organizational unit. The Help Desk Access Template determines the scope of the tasks.
The following sections elaborate on each of these steps.
For the purposes of this scenario, you can use the predefined Access Template Users – Help Desk, located in the folder Configuration/Access Templates/Active Directory. The Users – Help Desk Access Template specifies the necessary permissions to reset user passwords, unlock user accounts, and view properties of user accounts.
If you want to add or remove permissions from the Users – Help Desk Access Template, you need to first create a copy of that Access Template and then modify and apply the copy.
This scenario assumes that you apply the predefined Access Template Users – Help Desk.
To create a group, right-click an organizational unit in the console tree, select New | Group, and then follow the instructions in the New Object – Group wizard. The wizard includes the page where you can add members (Help Desk operators) to the group you are creating.
For step-by-step instructions on how to create groups, see “Steps for Creating a Group” in the Active Roles User Guide or Active Roles Help.
You can apply the Access Template using the Delegation of Control wizard.
First, you start the wizard on the Sales organizational unit: right-click the organizational unit, click Delegate Control, and then, in the Active Roles Security window, click the Add button.
Next, on the Users or Groups page of the wizard, add the Help Desk group to the list.
Next, on the Access Templates page of the wizard, expand Access Templates | Active Directory and select the check box next to Users - Help Desk, as shown in the following figure.
Figure 22: Access Template - Delegation of control
Click Next and accept the default settings in the wizard. On the completion page, click Finish. Finally, click OK to close the Active Roles Security window.
For more information about the Delegation of Control wizard, see Applying Access Templates earlier in this chapter.