Active Roles 7.5.2 - Access Templates Available out of the Box

Table 14: Active Directory/Advanced: Printer Objects
Access Template	Description
Printer Objects – Create	Create printer queue objects; no other permissions are included.
Printer Objects – Delete	Delete printer queue objects; no other permissions are included.
Printer Objects – List	List printer queue objects; no other permissions are included.
Printer Objects – Read/Write General Information	View and modify properties that constitute general information for printer queue objects: Location Model Description Color Staple Double-sided Printing speed Maximum resolution
Printer Objects – Read/Write Manager	View or modify what person is assigned to manage a given printer (Managed-By attribute); no other permissions are included.
Printer Objects – Rename	Rename printer queue objects; no other permissions are included.

Table 15: Active Directory/Advanced: Shared Folders
Access Template	Description
Shared Folders – Create	Create shared folder objects; no other permissions are included.
Shared Folders – Delete	Delete shared folder objects; no other permissions are included.
Shared Folders – List	List shared folder objects; no other permissions are included.
Shared Folders – Read/Write General Information	View and modify properties that constitute general information for shared folder objects: Description UNC name No other permissions are included.
Shared Folders – Read/Write Manager	View and modify what person is assigned to manage a given shared resource (Managed-By attribute); no other permissions are included.
Shared Folders – Rename	Rename shared folder objects; no other permissions are included.

Table 16: Active Directory/Advanced: Users
Access Template	Description
Users - Assign/Remove Digital Certificates	Assign or remove digital (X.509) certificates from the user in Active Directory (read/write the userCertificate attribute of user objects); no other permissions are included.
Users - Change Password (Extended Right)	Change password on user object (User-Change-Password extended right); no other permissions are included.
Users - Copy	Create copies of existing user objects; no other permissions are included.
Users - Create	Create user objects; no other permissions are included.
Users - Delete	Delete user objects; no other permissions are included.
Users - Deprovision	Perform the deprovisioning operation on user objects; no other permissions are included.
Users - Undo Deprovision	Perform the undo deprovisioning operation on user objects; no other permissions are included.
Users - Undo Deprovision - Deny	Prohibit the undo deprovisioning operation on user objects; no other permissions are included.
Users - Enable/Disable Account	Enable or disable user objects; no other permissions are included.
Users - List	List user objects; no other permissions are included.
Users - Read Group Membership	View a list of groups to which a given user belongs; no other permissions are included.
Users - Read/Write Logon Information	View and modify properties that describe logon information for user objects (User-Logon property set); no other permissions are included. Property set members: See “User-Logon Property Set” at http://msdn.microsoft.com/en-us/library/ms684415.aspx
Users - Read/Write Account Information	View or modify properties that describe account information for user objects (no other permissions are included): User logon name User logon name (pre-Windows 2000) Logon Hours Last Logon Account is locked out Account options Account expires
Users - Read/Write Account Restrictions	View and modify properties that describe account restrictions for user objects (User-Account-Restrictions property set); no other permissions are included. Property set members: See “User-Account-Restrictions Property Set” at http://msdn.microsoft.com/en-us/library/ms684412.aspx
Users - Read/Write Dial-In Properties	View and modify properties that describe dial-in related information for user objects (no other permissions are included): Remote Access Permission (Dial-in or VPN) Verify Caller-ID Callback Options Assign a Static IP Address Apply Static Routes settings
Users - Read/Write General Information	View and modify properties that constitute general information for user objects (General-Information property set); no other permissions are included. Property set members: See “General-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684366.aspx
Users - Read/Write Personal Information	View and modify properties that describe personal information for user objects (Personal-Information property set); no other permissions are included. Property set members: See “Personal-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684394.aspx
Users - Read/Write Organizational Information	View and modify properties that describe organization related information for user objects (no other permissions are included): Title Department Company Manager Direct reports Office (General tab)
Users - Read/Write Phone and Mail Options	View and modify properties that describe email related information for user objects (Email-Information property set); no other permissions are included. Property set members: See “Email-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684362.aspx
Users - Read/Write Profile Properties	View and modify properties that describe profile related information for user objects (no other permissions are included): User profile Home folder
Users - Read/Write Public Information	View and modify properties that describe public information for user objects (Public-Information property set); no other permissions are included. Property set members: See “Public-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684396.aspx
Users - Read/Write Web Information	View and modify properties that describe Web-related information for user objects (Web-Information property set); no other permissions are included. Property set members: See “Web-Information Property Set” at http://msdn.microsoft.com/en-us/library/ms684418.aspx
Users - Read/Write WTS Properties	View and modify properties that describe Terminal Services related information for user objects (no other permissions are included): Terminal Services User Profile Terminal Services Home Folder Allow logon to terminal server Starting program Client devices Terminal Service timeout and reconnection settings
Users - Rename	Rename user objects; no other permissions are included.
Users - Reset Password (Extended Right)	Reset password on user object (User-Reset-Password extended right); no other permissions are included.
Users - Run Check Policy (Extended Right)	Use the 'Check Policy' command; no other permissions are included.
Users - Unlock Account	Unlock user objects that get locked due to a number of failed logon attempts; no other permissions are included.
Users - Write Password	Set password on user object; no other permissions are included.
Users - View Change History (Extended Right)	Use the 'Change History' and 'User Activity' commands; no other permissions are included.
Users - View Delegated Rights (Extended Right)	Use the 'Delegated Rights' command; no other permissions are included.
Users - View Digital Certificates	View digital (X.509) certificates assigned to the user in Active Directory (read the userCertificate attribute of user objects); no other permissions are included.
Users - View Entitlement Profile (Extended Right)	Use the 'Entitlement Profile' command, to view resources to which a given user is entitled. No other permissions are included.

Use the Access Templates of this category to delegate management tasks for searching, reading, creating, updating or deleting Azure AD resources, such as Azure tenants, users, guest users, groups, and so on.

Table 17: Azure Access Templates
Access Template	Description
Azure - Configuration Administrator	Gives permission to perform the following tasks: Read and write Azure tenants. Read and write Azure applications. Read Azure health check reports. Read Azure license reports. Read Azure roles reports.
Azure - Contact Full Control	Gives permission to perform the following tasks: Add and enable new Azure contacts. View existing Azure contacts. Update the properties of existing Azure contacts.
Azure - Full Control	Gives permission to perform the following tasks: Read and write Azure configuration objects. Read and write Azure user attributes. Read and write Azure group attributes. Read and write Azure O365 group objects.
Azure - Group Full Control	Gives permission to perform the following tasks: Add and enable new Azure groups. View existing Azure groups. Update the properties of existing Azure groups.
Azure - Health Check, O365 Roles Report and License Report	Gives access to the Azure health check, O365 roles and license reports. NOTE: This Access Template must be applied on a Configuration container.
Azure - O365 Groups Full Control	Gives permission to perform the following tasks: Add and enable new Azure O365 groups. View existing Azure O365 groups. Update the properties of existing Azure O365 groups.
Azure - Read All Attributes	Gives permission to read all Azure attributes.
Azure - Read All Contact Attributes	Gives permission to read all Azure contact attributes.
Azure - Read All Group Attributes	Gives permission to list all Azure groups and view all Azure group properties.
Azure - Read All O365 Group Attributes	Gives permission to list all Azure O365 groups and view all Azure O365 group properties.
Azure - Read All User Attributes	Gives permission to read all Azure user and guest user attributes.
Azure - User Full Control	Gives permission to perform the following tasks: Create new Azure user and guest user accounts. Perform all administrative operations on existing Azure user and guest user accounts.
Azure Cloud Contact- Create Objects	Gives permission to create Azure cloud contact accounts.
Azure Cloud Contact - Delete Objects	Gives permission to delete Azure cloud contact accounts.
Azure Cloud Contact - Full Control	Gives permission to create new Azure cloud contact accounts, and perform all administrative operations on existing Azure cloud contact accounts.
Azure Cloud Contact - Modify Objects	Gives permission to modify Azure cloud contact accounts.
Azure Cloud Contact - Read All Attributes	Gives permission to read all Azure cloud contact attributes.
Azure Cloud User - Create Objects	Gives permission to create Azure cloud user accounts.
Azure Cloud User - Delete Objects	Gives permission to delete Azure cloud user accounts.
Azure Cloud User - Full Control	Gives permission to create new Azure cloud user accounts, and perform all administrative operations on existing Azure cloud user accounts.
Azure Cloud User - Modify Objects	Gives permission to modify Azure cloud user accounts.
Azure Cloud User - Read All Attributes	Gives permission to read all Azure cloud user attributes.
Azure Create O365 Groups	Gives permission to create O365 groups.
Azure Guest User - Create Objects	Gives permission to create Azure guest user accounts.
Azure Guest User - Delete Objects	Gives permission to delete Azure guest user accounts.
Azure Guest User - Full Control	Gives permission to create new Azure guest user accounts, and perform all administrative operations on existing Azure guest user accounts.
Azure Guest User - Modify Objects	Gives permission to modify Azure guest user accounts.
Azure Guest User - Read All Attributes	Gives permission to read all Azure guest user attributes.
Azure Health Check Report	Gives permission to access Azure health check reports. NOTE: This Access Template must be applied on a Configuration container.
Azure License Report	Gives permission to access Azure license reports. NOTE: This Access Template must be applied on a Configuration container.
Azure Modify O365 Group Members	Gives permission to modify O365 groups.
Azure O365 Roles Report	Gives permission to access O365 roles reports. NOTE: This Access Template must be applied on a Configuration container.
Azure Resource Mailboxes - Create Objects	Gives permission to create Azure resource mailboxes.
Azure Resource Mailboxes - Delete Objects	Gives permission to delete Azure resource mailboxes.
Azure Resource Mailboxes - Full Control	Gives permission to perform the following tasks: Add and enable new Azure resource mailboxes. View existing Azure resource mailboxes. Update the properties of existing Azure resource mailboxes.
Azure Resource Mailboxes - Modify Objects	Gives permission to list all Azure resource mailboxes and modify their properties.
Azure Resource Mailboxes - Read All Attributes	Gives permission to list all Azure resource mailboxes and view their properties.
Azure Security Group - Create Objects	Gives permission to create Azure security groups.
Azure Security Group - Delete Objects	Gives permission to delete Azure security groups.
Azure Security Group - Full Control	Gives permission to perform the following tasks: Add and enable new Azure security groups. View existing Azure security groups. Update the properties of existing Azure security groups.
Azure Security Group - Modify Members	Gives permission to modify the members of Azure security groups.
Azure Security Group - Modify Objects	Gives permission to list all Azure security groups and modify their properties.
Azure Security Group - Read All Attributes	Gives permission to list all Azure security groups and read their properties.

The Azure > Miscellaneous sub-node contains one additional Azure Access Template.

Table 18: Azure > Miscellaneous Access Templates
Access Template	Description
Azure Health Check Access	Gives read permission to the Azure Health Check service to search for Azure objects in the Active Roles Web Interface. NOTE: Make sure to grant this permission to non-administrator Active Roles users. Otherwise, they will be unable to perform searches on the Active Roles Web Interface.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Active Roles 7.5.2 - Access Templates Available out of the Box

Active Directory/Advanced: Printer Objects

Active Directory/Advanced: Shared Folders

Active Directory/Advanced: Users

Azure