立即与支持人员聊天
与支持团队交流

Active Roles 8.1.1 - Built-in Access Templates Reference Guide

Computer Resources – General ATs

To delegate common computer resource permissions in your organization, use the Access Templates (ATs) in the root of the Configuration > Access Templates > Computer Resources container of the Active Roles Console.

Table 13: Computer Resources – General Access Templates

Access Template

Description

Computer Management - Full Control

Grants full permission to:

  • List and select computer resources.

  • Perform all management tasks on any computer.

Computer Management - Local Account Operator

Grants the following permissions:

  • Create, update, or delete local user accounts and groups on a computer.

  • List and select computers.

Computer Management - Network Share Operator

Grants the following permissions:

  • Create, update, or delete network shares on a computer.

  • List and select computers.

Computer Management - Print Operator

Grants the following permissions:

  • View or modify the properties of logical printers installed on a computer.

  • List and select computers.

Computer Management - Read-Only Access

Grants the following permissions:

  • View the properties of all computer resources.

  • List and select computers.

Computer Management - Server Operator

Grants the following permissions:

  • Start or stop services.

  • Pause, resume or cancel printing.

  • Create, update or delete network shares on a computer.

  • List and select computers.

  • List local users and groups.

  • View all properties of local user accounts and groups on a computer.

Computer Management - Service Operator

Grants the following permissions:

  • Perform all management tasks on services on a computer.

  • List and select computers.

Computer Resources – Advanced ATs

To delegate more granular computer resource management permissions in your environment, use the Access Templates (ATs) in the Configuration > Access Templates > Computer Resources > Advanced container of the Active Roles Console.

These ATs contain more granular resource management tasks for local groups, local users, printers, services, and shared resources.

Table 14: Computer Resources – Advanced Access Templates

Access Template

Description

Local Groups - Add/Remove Members

Grants permission to add or remove group members on a computer.

NOTE: This AT provides no additional permissions.

Local Groups - Create

Grants permission to create local groups on a computer.

NOTE: This AT provides no additional permissions.

Local Groups - Delete

Grants permission to delete local groups on a computer.

NOTE: This AT provides no additional permissions.

Local Groups - List

Grants permission to list the local groups on a computer.

NOTE: This AT provides no additional permissions.

Local Groups - Read/Write General Information

Grants permission to view or modify the descriptions and membership lists of local groups on a computer.

NOTE: This AT provides no additional permissions.

Local Groups - Rename

Grants permission to rename local groups on a computer.

NOTE: This AT provides no additional permissions.

Local Users - Create

Grants permission to create local users on a computer.

NOTE: This AT provides no additional permissions.

Local Users - Delete

Grants permission to delete local users on a computer.

NOTE: This AT provides no additional permissions.

Local Users - List

Grants permission to list local users on a computer.

NOTE: This AT provides no additional permissions.

Local Users - Read Group Membership

Grants permission to view the list of groups to which a local user belongs.

NOTE: This AT provides no additional permissions.

Local Users - Read/Write Account Options

Grants permission to modify the account settings of local users, such as its password options, or whether the user is enabled, disabled, or locked out.

Local Users - Read/Write General Information

Grants permission to view or modify the full name and description of local users on a computer.

NOTE: This AT provides no additional permissions.

Local Users - Read/Write Profile Properties

Grants permission to view or modify the user profile and home folder settings of local users on a computer.

NOTE: This AT provides no additional permissions.

Local Users - Rename

Grants permission to rename local users on a computer.

NOTE: This AT provides no additional permissions.

Local Users - Write Password

Grants permission to change the password of local users on a computer.

NOTE: This AT provides no additional permissions.

Printer Resources - Read/Write Advanced Information

Grants permission to view or modify the following settings of logical printers:

  • Port

  • Advanced

Printer Resources - Read/Write General Information

Grants permission to view or modify the following settings of logical printers:

  • Name

  • Location

  • Comment

Printer Resources - Read/Write Sharing Information

Grants permission to modify the sharing settings of logical printers (that is, enabling or disabling printer sharing).

NOTE: This AT provides no additional permissions.

Services - List

Grants permission to list the services defined on a computer.

NOTE: This AT provides no additional permissions.

Services - Read/Write General Information

Grants permission to view or modify the following service settings:

  • Name

  • Display Name

  • Description

  • Path to Executable

  • Startup Type

Services - Read/Write Log On Information

Grants permission to view or modify the Log On As setting of services.

NOTE: This AT provides no additional permissions.

Services - Read/Write Start type

Grants permission to view or modify the Startup Type setting of services.

NOTE: This AT provides no additional permissions.

Services - Start /Stop/ Pause/ Resume

Grants permission to start, stop, pause, or resume services.

NOTE: This AT provides no additional permissions.

Shares - Create

Grants permission to create network shares on a computer.

NOTE: This AT provides no additional permissions.

Shares - List

Grants permission to list the network shares defined on a computer.

NOTE: This AT provides no additional permissions.

Shares - Read/Write General Information

Grants permission to view or modify the following settings of network shares:

  • Share Name

  • Path

  • Comment

  • User Limit

Shares - Read/Write Permissions

Grants permission to view or modify share permissions on network shares.

NOTE: This AT provides no additional permissions.

Shares - Stop Sharing

Grants permission to stop sharing folders on a computer.

NOTE: This AT provides no additional permissions.

Configuration

The Configuration > Access Templates > Configuration container of the Active Roles Console contains Access Templates (ATs) that you can use to delegate Active Roles configuration object management duties, such as:

  • Administering Managed Units (MUs), Policy Objects, or ATs.

  • Configuring Active Roles replication.

  • Adding or removing managed domains.

This container has an Advanced sub-container, containing special ATs to delegate configuration object management duties with very granular permissions. For more information, see Computer Resources – Advanced ATs.

Configuration – General ATs

To delegate common configuration object management permissions in your organization, use the Access Templates (ATs) in the root of the Configuration > Access Templates > Configuration container of the Active Roles Console.

Table 15: Configuration – General Access Templates

Access Template

Description

Access Rules - Full Control

Grants full permission to create, read, update and delete Access Rule objects.

To delegate this AT, apply it on the container(s) that hold Access Rule objects.

For more information on applying ATs on resources, see Applying Access Templates on a securable object in the Active Roles Administration Guide.

Access Rules - Modify

Grants permission to view or modify all properties of Access Rule objects.

To delegate this AT, apply it on the container(s) that hold Access Rule objects.

For more information on applying ATs on resources, see Applying Access Templates on a securable object in the Active Roles Administration Guide.

Access Rules - View

Grants permission to view all properties of Access Rule objects.

To delegate this AT, apply it on the container(s) that hold Access Rule objects.

For more information on applying ATs on resources, see Applying Access Templates on a securable object in the Active Roles Administration Guide.

Automation Workflow - Full Control

Grants full permission to:

  • View or modify automation workflow definitions.

  • Start automation workflows.

  • View the run history of automation workflows.

To delegate this AT, apply it either to automation workflow definition objects, or to containers holding automation workflow definitions.

For more information on applying ATs on resources, see Applying Access Templates on a securable object in the Active Roles Administration Guide.

Automation Workflow - View

Grants permission to view automation workflow definitions and their run history.

To delegate this AT, apply it either to automation workflow definition objects, or to containers holding automation workflow definitions.

For more information on applying ATs on resources, see Applying Access Templates on a securable object in the Active Roles Administration Guide.

Automation Workflow - View and Run

Grants the following permissions:

  • Read automation workflow definitions.

  • Start automation workflows.

  • View the run history of automation workflows.

To delegate this AT, apply it either to automation workflow definition objects, or to containers holding automation workflow definitions.

For more information on applying ATs on resources, see Applying Access Templates on a securable object in the Active Roles Administration Guide.

Configuration - Add/Remove Managed Domains

Grants the following permissions:

  • Register domains with Active Roles.

  • View or modify registration information for managed domains.

Configuration - Manage Access Templates

Grants the following permissions:

  • Create, read, update or delete ATs and AT containers.

  • Add or remove permissions to or from ATs.

Configuration - Manage Configuration

Grants permission to view or change any Active Roles configuration settings, except Active Roles replication settings.

Configuration - Manage Policy Objects

Grants the following permissions:

  • Create, read, update or delete Active Roles Policy Objects and Policy Object containers.

  • Configure Active Roles policies.

Configuration - Manage Script Modules

Grants permission to create, read, update or delete Active Roles Script Modules and Script Module containers.

Configuration - View Configuration

Grants permission to view any Active Roles configuration settings, including replication settings.

Managed Object Statistics - Read Detailed Data

Grants permission to read detailed statistical information about the number of objects managed by Active Roles.

Managed Object Statistics - View Report

Grants permission to read the Active Roles product usage statistics, that is, statistical reports on the number of objects managed with the product.

Workflow - View Workflow Containers

Grants permission to access containers that hold workflow definition objects.

To delegate this AT, apply it to the Configuration > Policies > Workflow node of the Active Roles Console.

For more information on applying ATs on resources, see Applying Access Templates on a securable object in the Active Roles Administration Guide.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级