Delegating Rights to Manage Unix Objects
Use Access Templates to grant permissions to users and groups. When you add a user to an Access Template, you add all the attributes and permissions of that template to that user. When you apply Access Templates to a folder, you configure the permission settings to propagate from the folder to its child objects, down the directory structure.
You implement a delegation scheme by applying Access Templates included with the Integration Pack. For example, to delegate all Unix-related management tasks on Windows user accounts, link the Users - Modify All Unix Properties Access Template to a certain organizational unit and select the appropriate group as Trustee. As a result, any member of that group is authorized to perform the tasks on any user account held in that organizational unit.
To delegate rights to manage Unix objects
- From the ActiveRoles Server Console, navigate to Active Directory.
- From the Action menu, choose Delegate Control
- On the Access Template links page, click Add.
- When the Delegation of Control Wizard starts, click Next.
The Delegation of Control Wizards helps you delegate control of directory objects. Grant permission to manage users, groups, computers, organizational units, and other objects administered with ActiveRoles Server.
- On the Users or Groups page, click Add
- On the Select Objects page, click the link to display the objects.
- Select objects, click Add and then OK.
- On the Users or Groups page, click Next.
- On the Access Templates page, expand Authentication Services Integration v2.x and select Group or User or both and click Next.
- On the Inheritance Options page, specify whether you want child objects to inherit the permission settings from the selected Access Templates and click Next.
- On the Permissions Propagation page, leave the Propagate permissions to Active Directory option unselected and click Next.
- On the "Complete" page, click Finish if you are satisfied with the delegation of control.
- On the Access Template links page, click OK to return to the console
Users or groups with delegated rights to manage Unix objects can enable, disable, or change Unix attributes on users and groups in either the ActiveRoles Server Console or the Web interface.
|NOTE: Each delegated user must have read access to the application configuration.|
Locating Unix Objects
Managed Units allow you to locate the Unix users and groups in your ActiveRoles Server managed environment.
To locate Unix objects
- From the ActiveRoles Server Console, navigate to Configuration | Managed Units | Authentication Services Integration v2.x.
- Right-click either Unix-enabled Groups or Unix-enabled Users and choose Find....
- You use standard ActiveRoles Server functionality to search for objects of different types. For details on using the Find Users, Contacts, and Group dialog, open the Help menu, choose Help Topics, and open the Finding Objects topic.
Using the Web Interface Extensions
Using the Web Interface Extensions
Authentication Services provides Microsoft Management Console (MMC) extensions that support the ActiveRoles Server web interface allowing you to:
- Enable, disable, or clear the Unix properties for a Windows user account
- View or modify Unix-related properties of a Windows user account
- Enable or clear the Unix group properties for a Windows group
- View or modify Unix-related properties of a Windows group
After you install the Integration Pack, you must publish the Web interface extensions.
Configure New Web Sites for the Web Interface
Every time you create and configure a new Web site for the ActiveRoles Server Web Interface, you must run the ActiveRoles Integration Configuration Wizard.
To configure new Web sites for the Web interface
- From the Start menu, navigate to All Programs | Quest Software | Authentication Service ActiveRoles Integration | ActiveRoles Integration Configuration Wizard to start a wizard that will help you configure newly created Web sites for the ActiveRoles Server Web interface.
- When the configuration setup wizard completes, click Restart ActiveRoles Now.
- When it becomes active, click the Close button and wait for a minute while ActiveRoles Server loads the startup information.
|NOTE: Once the service restarts, wait a few minutes before you open the ActiveRoles Server console.|