Use the Active Roles console to create an Access Rule object with a conditional expression that evaluates to TRUE if the Department claim of the authorizing user evaluates exactly to the Department property of the target object:
To apply the Access Rule you created in Step 4, you first need to delegate control by using an Access Template, and then attach the Access Rule to the Access Template link. Create a security group to hold your delegated administrators, and perform the following steps in the Active Roles console:
You will apply the Access Rule to the Users - Modify All Properties Access Template link. The OUs - Read All Properties Access Template enables the delegated administrators to browse the domain for user objects.
After you have completed these steps, Active Roles allows a delegated administrator to make changes to only those user accounts that have the same department setting as the delegated administrator’s account.
Active Directory enables delegation of control with very fine granularity. However, the ability to restrict access may not be sufficient.
Many directory administration activities exhibit a predefined workflow. This workflow involves accomplishing a number of tasks in a particular sequence. Administrators and other personnel have to perform almost identical tasks repeatedly. Some examples are creating user accounts, resetting passwords, disabling inactive user accounts, and enforcing user naming conventions.
Active Roles provides a policy-based administration solution that meets the needs of modern enterprises. The administrative policy enforcement featured by Active Roles considerably reduces administrative workload, improves network security, and ensures consistency across the entire enterprise. Automating administrative workflow significantly reduces the amount of time to complete tasks and can eliminate certain tasks altogether. It also minimizes errors, reduces the need for rework, and combines related actions into a single batch.
Active Roles provides the facility to specify how, when, and what must change, whenever directory objects are created, modified, or deleted. Furthermore, it is possible to configure Active Roles to only accept data changes that conform to certain formatting requirements. This helps maintain control of the data stored in the directory.
For example, when creating a user account for a new employee, Active Roles can automatically retrieve information from a Human Resources database, use it as the default information in the user account properties, create a home folder and home share, and add the new account to the necessary groups. Moreover, it can create an Exchange mailbox and add the mailbox to the relevant distribution lists. This entire procedure equates to one task, but without Active Roles, it could be ten or more.
With the ability to enforce administrative policies and automate administrative workflow, Active Roles not only saves time, but also keeps network objects in a consistent state in relations to each defined policy. This addresses important security, usability, and integrity issues that are central to the management of network object data.
In Active Roles, administrative policies are defined by using Policy Objects—collections of policies. Policy Objects define the behavior of the system when directory objects are created, modified, or deleted.
You can create a Policy Object that includes any number of different policies, such as format validation, generation rules for the values of object attributes, scripts that supplement administrative operations, automatic creation of user mailboxes on prescribed Exchange servers, automatic creation of user home folders and home shares, and relocation of an object to a specified container when it meets certain criteria.
Active Roles provides extensive capabilities for automating administrative processes. Policy Objects can run customizable scripts before or after the execution of any specific task, and multiple tasks can be combined into one operation. This functionality significantly reduces the amount of time to complete administrative tasks, and minimizes errors.
Through the use of Policy Objects, Active Roles automates user provisioning tasks to reduce your administrative workload and get new users up and running faster. It automates reprovisioning and deprovisioning as well, so when a user’s access needs to be changed or removed, updates in Active Directory, Exchange, and Windows are made automatically, thereby reducing administrative workloads and making users more productive faster.
To help you configure and apply Policy Objects, they are broken into two categories:
It is possible to create and apply any number of Policy Objects in each category.