Active Roles provides the option to keep Active Directory native security updated with selected permissions specified using Access Templates. This option, referred to as permissions propagation, is intended to provision users and applications with native permissions to Active Directory. The normal operation of Active Roles does not rely on this option.
- When applying Access Templates, you can select the Propagate permissions to Active Directory check box in the Delegation of Control wizard.
- When managing Access Template links, you can use the Sync to AD button in a window that displays a list of links or use the Sync to AD command on a tab that displays a list of links in the advanced details pane.
First, right-click the Organizational Unit and click Delegate Control to display the Active Roles Security window.
Next, in the Access Template links list, select the links that define the permissions you want to synchronize.
Finally, click the Sync to AD button. The Sync to Native Security column in the list displays Yes for the links that you are going to synchronize.
After you click OK, Active Roles creates permission entries in Active Directory so that the Trustee has the same rights in Active Directory as it has in the Active Roles environment in accordance with the Access Template links you have synchronized.
You can stop synchronization of permissions at any time by clicking the Desync to AD button. If you do so, Active Roles deletes all permission entries in Active Directory that were created as a result of synchronization.
TIP: In the Active Roles Security dialog box, the Sync to AD button is only available on direct links. When you need to synchronize links, it is advisable to manage them using the Links command on the Access Template.
You can also accomplish this task using the advanced details pane as follows:
- Select the Organizational Unit.
- On the Active Roles Security tab, select the Access Template links that define the permissions you want to synchronize.
- Right-click the selection and click Sync to AD.
You can use the Sync to AD command to stop synchronization: right-click the links you want to no longer be synchronized, and click Desync to AD.
TIP: On the Active Roles Security tab, the Sync to AD command is available on direct links only. When you need to synchronize links, it is advisable to manage them using the Links tab for the Access Template.