This scenario shows how to use an Access Template that allows users to modify certain portions of their personal information in Active Directory.
The Active Roles Web Interface provides the Site for Self-Administration to manage user accounts. The site displays users their personal information, such as the first and last names, address information, phone numbers, and other data. By default, Web Interface users are only authorized to view their personal information. To enable the users to also modify their personal information, you must give them additional permissions.
Suppose you need to authorize the users in the Sales organizational unit to perform self-administration. To implement this scenario, you should perform the following steps:
As a result of these steps, users from the Sales organizational unit are authorized to perform self-management tasks on their personal accounts. The Self-Administration Access Template determines what data the users are permitted to modify. Users can manage their personal information via the Site for Self-Administration. For information about the Site for Self-Administration, refer to the Active Roles Web Interface User Guide.
The following sections elaborate on the steps involved in this scenario.
For the purposes of this scenario, you can use the predefined Access Template Self - Account Management, located in the folder Configuration/Access Templates/User Self-management. This Access Template specifies the necessary permissions to view a basic set of user properties and modify telephone numbers.
If you want to add or remove permissions from the Self - Account Management Access Template, you need to first create a copy of that Access Template and then modify and apply the copy.
This scenario assumes that you apply the predefined Access Template Self - Account Management.
You can apply the Access Template using the Delegation of Control wizard.
First, you start the wizard on the Sales organizational unit: right-click the organizational unit, click Delegate Control, and then, in the Active Roles Security window, click the Add button.
Next, on the Users or Groups page of the wizard, click the Add button. In the Select Objects window, select the Self object, as shown in the following figure, click Add, and then click OK.
Figure 23: Access Template - Self administration
Next, on the Access Templates page of the wizard, expand Access Templates | User Self-management and select the check box next to Self - Account Management.
Click Next and accept the default settings in the wizard. On the completion page, click Finish. Finally, click OK to close the Active Roles Security window.
For more information about the Delegation of Control wizard, see Applying Access Templates earlier in this chapter.
Active Roles utilizes role-based delegation for assigning of administrative permissions. The benefits of this model are that a role can be created once and delegated to multiple groups of users that fit that role. If a change is needed, an update to the role will take effect for everyone. These roles are referred to as “Access Templates.”
When doing delegation with Active Roles, you should remember a few rules:
There are three basic types of permissions that can be added to an Access Template:
The following sections give a sample set of the permissions necessary for certain delegation scenarios: