Azure – Special ATs
Azure > Azure – Special ATs
The Configuration > Access Templates > Azure > Special container of the Active Roles Console contains Access Templates (ATs) to delegate miscellaneous Azure AD management permissions.
Table 11: Azure AD special Access Templates
Azure Health Check Allow for Search |
Grants permission to read the Azure Health Check service so that the user(s) can search for Azure objects in the Active Roles Web Interface.
NOTE: Make sure to grant this permission to non-administrator Active Roles users. Otherwise, they will be unable to perform searches on the Active Roles Web Interface. |
Built-in Security
The Configuration > Access Templates > Builtin container of the Active Roles Console contains Access Templates (ATs) that you can use to:
-
Delegate default security settings for your Active Roles server, covering both the various Active Roles components and the most common resource types managed in Active Roles.
-
Use the default security ATs to configure your own security ATs.
Built-in Security – General ATs
To delegate common Active Roles server security permissions for the resources and Active Roles components in your organization, use the Access Templates (ATs) in the root of the Configuration > Access Templates > Builtin container of the Active Roles Console.
Table 12: Built-in security Access Templates
AR Server Security - Active Directory Container |
Grants the following permissions to ensure default security on the Active Directory container:
-
Read all domain properties.
-
Write the LDAP server properties of the domain.
-
List all Active Directory (AD) resources.
-
Read all properties of AD resources. |
AR Server Security - Active Directory Container - Self |
Grants the following permissions to ensure default security on the Active Directory container for the security principal self:
-
Read the membership status of users (that is, their Member Of attribute).
-
Read the object class of users (that is, their objectClass attribute). |
AR Server Security - AD LDS (ADAM) Container |
Grants the following permissions to ensure default security on the AD LDS (ADAM) container:
-
List all Active Directory Lightweight Directory Services (AD LDS) resources.
-
Read all properties of AD LDS resources.
-
Read all properties of crossRefContainers. |
AR Server Security - Application Configuration Objects |
Grants the following permissions to ensure default security on application configuration objects:
-
List and read all properties of Schema Cache containers.
-
List and read all properties of Enterprise Directory Service (EDS) application configuration objects.
-
List and read all properties of EDS display specifier containers.
-
List and read all properties of control access rights.
-
List and read all properties of attribute schemas.
-
List and read all properties of class schemas.
-
List and read all properties of all containers.
-
List and read all properties of display specifiers. |
AR Server Security - Client Sessions Container |
Grants the following permissions to ensure default security on the Client Sessions container:
|
AR Server Security - Configuration Objects |
Grants the following permissions to ensure default security on configuration objects:
-
List and read all properties of the Managed Domains container.
-
List and read all properties of the Managed Units container.
-
Read all properties of ATs.
-
List and read all properties of Policy Objects.
-
List and read all version information.
-
List and read all properties of the Configuration container.
-
List and read all properties of the change tracking log configuration.
-
Read all properties of the Active Roles Administration Service.
-
Read the edsvaXSLPolicyCheckReport attribute of the EDS policy check configuration.
-
List and read all properties of the EDS management history replication partner.
-
List and read all properties of the Management History Databases container.
-
List and read all properties of the policy configuration.
-
List and read all properties of the Azure Configuration container (that is, the edsAzureConfigurationContainer resource).
-
List and read all properties of Azure containers.
-
List and read all properties of Azure tenants. |
AR Server Security - Export/Import Application |
Grants the following permissions to ensure default security on the export/import application:
-
Read the edsvaDSMLProcessingInstructionsAsXML attribute of applications.
-
Read the edsvaAttributesExcludedFromImport attribute of applications.
-
Read the object class of applications. |
AR Server Security - Managed Units Container |
Grants the following permissions to ensure default security on the Managed Units container:
|
AR Server Security - Web Interface Configuration |
Grants the following permissions to ensure default security on the Active Roles Web Interface configuration objects:
|
AR Server Security - Workflow Container |
Grants read permission to the Workflow container and its sub-containers. |
Special - Block Permission Inheritance |
When assigned to an object, this AT prevents propagating inheritable permissions to the children of the object and other target objects as well.
When assigned to the Active Directory node, this AT blocks all inheritable AD permissions. |
Computer Resources
The Configuration > Access Templates > Computer Resources container of the Active Roles Console contains Access Templates (ATs) that you can use to delegate computer resource management duties, such as:
This container has an Advanced sub-container, containing special ATs for computer resource management with highly granular permissions. For more information, see Computer Resources – General ATs.