Object access
Permissions in this category grant access to object (but not object property) administrative operations for the classes selected in the previous step of the Add Permission Entries Wizard.
Administrative operations are selected from the list, which is displayed when you select Object access. You select the necessary operations by selecting the appropriate check boxes. For example, you might select List Object to allow viewing objects of certain types.
After you have selected the operations, click Finish to complete the Add Permission Entries Wizard. The permission is added to the newly-created Access Template.
Object property access
Permissions in this category grant access to object property administrative operations for the classes selected in the Add Permission Entries Wizard.
When you select Object property access, you specify access to object properties. You can select Read properties and Write properties, as shown in the following figure.
After you click Next, the wizard displays a page where you can select the properties to which you want the permission to allow (or deny) access. The page is similar to the following figure.
On that page, you can select one of the following options:
-
All properties: With this option, the permission controls access to all properties.
-
The following properties: With this option, the permission controls access to the properties you select from the list by selecting the appropriate check boxes.
NOTE: By default, not all object properties appear in the list. To display all object properties, select the Show all possible properties check box.
After you have selected the properties you want, click Finish to complete the Add Permission Entries Wizard. The permission is added to the Access Template.
Creating or deleting child object permissions
Permissions in this category provide for creation and deletion of child objects in container objects of the classes you selected in the previous step of the Add Permission Entries Wizard.
When you select Creation/Deletion of child objects, you specify the creation, deletion, and move operations you want the permission to allow (or deny). The list of operations looks as shown in the following figure.
You can select the following operations:
-
Create child objects: Controls the creation of child objects of the classes you select in the next step.
-
Delete child objects: Controls the deletion of child objects of the classes you select in the next step.
-
Move objects into this container: Controls the relocation of object of the classes you select in the next step. This operation assumes moving objects from one container to another without permission to delete existing objects or create new objects.
After you click Next, the wizard displays the page where you can select the types of objects on which you want the permission to allow (or deny) the operations you selected in the previous step. The page is similar to the following figure.
On that page, you select the types of objects for which you want the permission to allow (or deny) the creation, deletion, or move operation. You can select one of these options:
-
Child objects of any class: With this option, the permission controls the operations on objects of any type.
-
Child objects of the following classes: With this option, the permission controls the operations on objects of the type you select from the list by selecting the appropriate check boxes.
NOTE: By default, all object classes are not displayed in the list. To display all object classes, select the Show all possible classes check box.
After you selected the object classes, click Finish to complete the Add Permission Entries Wizard. The permission is added to the Access Template.
Access Template link management
When applying an Access Template, Active Roles creates an Access Template link. Thus, administrative rights are specified by linking Access Templates to securable objects, such as Managed Units, directory folders (containers), or individual (leaf) objects.
Each Access Template link includes the identifier (SID) of the security principal—user or group—to which the specified administrative rights are assigned. When an Access Template link is created, the user or group becomes a Trustee over the collection of objects or the folder to which the Access Template is linked, with permissions specified by that Access Template.
When an Access Template is modified or no longer applied, the permission information on objects affected by the Access Template changes accordingly.
You can display a list of Access Template links starting from one of the following points:
-
Access Template: Right-click an Access Template and click Links.
This displays the links in which the Access Template occurs.
-
Security principal (Trustee): Right-click a group or user, and click Delegated Rights.
This displays the links in which the group or user occurs as a Trustee either directly or due to group memberships.
-
Securable object: Right-click a container object or Managed Unit and click Delegate Control. For a leaf object, open the Properties dialog, go to the Administration tab, and click Security.
This displays the links in which the selected object occurs as a securable object (referred to as Directory Object).
Another way to see a list of Access Template links is to use the Advanced Details Pane. Select the setting in in the View menu, then select one of the following:
-
Access Template
The Links tab lists the links in which the selected Access Template occurs.
-
Other object (Managed Unit, container, or leaf object).
The Active Roles Security tab lists the links in which the selected object occurs as a securable object (referred to as Directory Object).
The Active Roles Console displays a list of Access Template links in a separate window. Thus, the Active Roles Security window is displayed when you start from a securable object (for example, by clicking a Managed Unit or Organizational Unit and then clicking Delegate Control).
Each entry in the list of the Access Template links includes the following information:
-
Trustee: The link defines administrative rights of this security principal (group or user).
-
Access Template: The Access Template that determines the rights of the Trustee.
-
Directory Object: The link defines the rights of the Trustee to this securable object.
-
Sync to Native Security: Indicates whether the permissions are synced to Active Directory.
-
Disabled: Indicates whether the link is disabled. If a link is disabled, the permissions defined by that link have no effect.
-
Access Rule: Indicates whether an Access Rule is applied to this link. For more information, see Management of Windows claims.
The Active Roles Security window (as well as the Active Roles Security tab in the advanced details pane) lists the links of these categories:
-
Direct links: The Access Template is applied (linked) directly to the securable object you have selected.
-
Inherited links: The Access Template is applied (linked) to a container in the hierarchy of containers above the securable object you have selected, or to a Managed Unit to which the securable object belongs.
The links inherited from parent objects can be filtered out of the list:
-
When using the Active Roles Security window, clear the Show inherited check box.
-
When using the Active Roles Security tab, right-click the list and then click Show Inherited to deselect the menu item.
A window or tab that displays Access Template links allows you to manage links. In a window, you can use buttons beneath the list. In a tab, you can right-click a list entry or a blank area, and then use commands on the shortcut menu. For example, the following buttons appear in the Active Roles Security window:
-
Add: Starts the Delegation of Control Wizard to create apply Access Templates.
-
Remove: Deletes the selected entries from the list of links. Available for direct links only.
-
View/Edit: Displays the dialog to view or modify link properties such as permissions inheritance and propagation options.
-
Sync to AD: Toggles the permissions propagation option of the links selected in the list.
-
Disable: Disables or enables the link. If a link is disabled, the permissions specified by the link takes no effect.
TIP: In the Active Roles Security dialog box, the Remove button is available on direct links only. When you need to delete links, it is advisable to manage them using the Links command on the Access Template.