Configuring Active Roles for AD LDS
Configuring Active Roles for AD LDS
The Active Roles configuration-related tasks specific to AD LDS data management include the following:
- Deploying rule-based administrative views You can configure Managed Units in Active Roles to represent virtual collections of directory objects, from AD LDS, Active Directory or both, for distribution of administrative responsibilities and enforcement of business rules and policies.
- Implementing role-based delegation You can apply Active Roles Access Templates to delegate control of AD LDS data the same way as you do for the directory data held in Active Directory domains.
- Policy-based control and auto-provisioning of directory data You can apply Active Roles Policy Objects to establish policy-based control and perform auto-provisioning of AD LDS data the same way as you do for the directory data held in Active Directory domains.
This section elaborates on each of these tasks.
Configuring Managed Units to include AD LDS objects
By using the Active Roles console, you can configure Managed Units in Active Roles to represent virtual collections of directory objects, from AD LDS, Active Directory or both, for the distribution of administrative responsibilities and enforcement of business rules. By enabling Managed Units to include directory objects from any location, be it AD LDS or Active Directory, Active Roles provides the ability to implement role-based delegation and policy based administrative control of directory data where appropriate, without regard to directory boundaries.
You can use the following instructions to configure an existing Managed Unit so that it holds AD LDS objects such as AD LDS users, groups, or organizational units. For detailed instructions on how to create and administer Managed Units, see the Rule-based Administrative Views section earlier in this document.
To configure an existing Managed Unit to include AD LDS objects returned from a query
- Right-click the Managed Unit and click Properties.
- On the Membership Rules tab, click Add.
- In the Membership Rule Type dialog box, click Include by Query, and then click OK.
- Use the Create Membership Rule dialog box to set up the query:
- In the Find list, click Custom Search.
- Click Browse next to the In box.
- In the Browse for Container dialog box, expand the AD LDS (ADAM) container, expand the AD LDS directory partition containing the objects you want the query to return, and select the container that holds those objects. Then, click OK.
- Click the Field button, and select the type of the objects that you want the query to return and the object property that you want to query.
- In Condition, click the condition for your query, and then, in Value, type a property value, in order for your query to return the objects that have the object property matching the condition-value pair you have specified.
- Click the Add button to add this query condition to the query.
- Optionally, repeat steps d) through f), to further define your query by adding more conditions. If you want the query to return the objects that meet all of the conditions specified, click AND. If you want the query to return the objects that meet any of the conditions specified, click OR.
- Optionally, click Preview Rule to display a list of objects that your query returns. Note that the query results may vary depending on the current state of data in the directory. The Managed Unit will automatically re-apply the query whenever changes to directory data occur, in order to ensure that the membership list of the Managed Unit is current and correct.
- Click the Add Rule button.
- Click OK to close the Properties dialog box for the Managed Unit.
You can also configure membership rules of categories other than “Include by Query” in order to include or exclude AD LDS objects from a Managed Unit. To do so, select the appropriate category in the Membership Rule Type dialog box. Further steps for configuring a membership rule are all about using either the Create Membership Rule dialog box to set up a certain query or the Select Objects dialog box to locate and select a certain object.
Viewing or setting permissions on AD LDS objects
By using the Active Roles console, you can apply Active Roles Access Templates to delegate control of AD LDS data the same way as you do for the directory data held in Active Directory domains. By applying Access Templates to users or groups (Trustees) on AD LDS objects and containers, you can give the Trustees the appropriate level of access to directory data held in AD LDS, thus authorizing them to perform a precisely defined set of activities related to AD LDS data management.
Active Roles provides a rich suite of pre-configured Access Templates to facilitate delegation of AD LDS data management tasks. For a list of the AD LDS-specific Access Templates, refer to the Active Roles Built-in Access Templates Reference Guide, which is part of the Active Roles documentation set. You can find those Access Templates in the Configuration/Access Templates/AD LDS (ADAM) container, in the Active Roles console.
You can use the following instructions to examine which Access Templates are applied to a given AD LDS object, such as an AD LDS user, group, organizational unit, container, or entire directory partition, and to add or remove Access Templates in order to change the level of access the Trustees have to that object.
For detailed instructions on how to create, configure and apply Access Templates, see the Role-based Administration section earlier in this document.
To view or modify the list of Access Templates on an AD LDS object
- In the console tree, under AD LDS (ADAM), locate and select the container that holds the object on which you want to view or modify the list of Access Templates.
- In the details pane, right-click the object, and click Properties.
- On the Administration tab in the Properties dialog box, click Security.
- In the Active Roles Security dialog box, view the list of Access Templates that are applied to the AD LDS object, or modify the list as follows:
- To apply an additional Access Template to the object, click Add and follow the instructions in the Delegation of Control Wizard.
- To remove permissions specified by an Access Template on the object, select the Access Template from the list and click Remove.
- Click OK to close the Active Roles Security dialog box.
- Click OK to close the Properties dialog box for the AD LDS object.
In the Delegation of Control Wizard, you can select the users or groups (Trustees) to give permissions to, and select one or more Access Templates from the Access Templates/AD LDS (ADAM) container to define the permissions. As a result, the Trustees you select have the permissions that are defined by those Access Templates on the AD LDS object. The Trustees can exercise the permissions only within Active Roles as Active Roles does not stamp permission settings in AD LDS.
In the Active Roles Security dialog box, an Access Template can only be removed if it is applied to the object you have selected (rather than to a container that holds the object). To view the Access Templates that can be removed on the current selection, clear the Show inherited check box.
Instead of removing an Access Template in the Active Roles Security dialog box, you can select the Access Template and then click Disable in order to revoke the permissions on the object that are defined by the Access Template. In this way, you can block the effect of an Access Template regardless of whether the Access Template is applied to the object itself or to a container that holds the object. You can undo this action by selecting the Access Template and then clicking Enable.
Viewing or setting policies on AD LDS objects
By using the Active Roles console, you can apply Active Roles Policy Objects to establish policy-based control and perform auto-provisioning of AD LDS data the same way as you do for the directory data held in Active Directory domains. By providing the ability to strictly enforce operating policies and to prevent unregulated access to sensitive information stored in AD LDS, Active Roles helps ensure the security of your business-critical data. Policy Objects can be configured to determine a wide variety of policies as applied to AD LDS, including data format validation, rule-based auto-provisioning of certain portions of data in AD LDS, and script-based, custom actions on AD LDS data.
You can use the following instructions to view or modify a list of Policy Objects that are applied to a given AD LDS object, such as an AD LDS user, group, organizational unit, container, or entire directory partition. For detailed instructions on how to create, configure and apply Policy Objects, see the Rule-based AutoProvisioning and Deprovisioning section earlier in this document.
To view or modify the list of Policy Objects on an AD LDS object
- In the console tree, under AD LDS (ADAM), locate and select the container that holds the object on which you want to view or modify the list of Policy Objects.
- In the details pane, right-click the object, and click Properties.
- On the Administration tab in the Properties dialog box, click Policy.
- In the Active Roles Policy dialog box, view the list of Policy Objects that have effect on the AD LDS object, or modify the list as follows:
- To apply an additional Policy Object to the AD LDS object, click Add, select the Policy Object to apply, and then click OK.
- To remove the effect of a Policy Object on the AD LDS object, select the Policy Object from the list and click Remove. Alternatively, select the Blocked check box next to the Policy Object name.
- Click OK to close the Active Roles Policy dialog box.
- Click OK to close the Properties dialog box for the AD LDS object.
In the Active Roles Policy dialog box, a Policy Object can only be removed if it is applied to the AD LDS object you have selected (rather than to a container that holds the AD LDS object). To view the Policy Objects that can be removed on the current selection, click Advanced, and then clear the Show inherited check box.
Instead of removing a Policy Object in the Active Roles Policy dialog box, you can select the Blocked check box in the list entry for that Policy Object in order to remove the effect of the Policy Object on the AD LDS object. In this way, you can remove the effect of a Policy Object regardless of whether the Policy Object is applied to the AD LDS object itself or to a container that holds the object. If you block a Policy Object on a given AD LDS object, the policy settings defined by that Policy Object no longer take effect on the AD LDS object. You can undo this action by clearing the Blocked check box.