立即与支持人员聊天
与支持团队交流

Active Roles 8.1.3 - Built-in Access Templates Reference Guide

Azure – Special ATs

The Configuration > Access Templates > Azure > Special container of the Active Roles Console contains Access Templates (ATs) to delegate miscellaneous Azure AD management permissions.

Table 11: Azure AD special Access Templates

Access Template

Description

Azure Health Check Allow for Search

Grants permission to read the Azure Health Check service so that the user(s) can search for Azure objects in the Active Roles Web Interface.

NOTE: Make sure to grant this permission to non-administrator Active Roles users. Otherwise, they will be unable to perform searches on the Active Roles Web Interface.

Built-in Security

The Configuration > Access Templates > Builtin container of the Active Roles Console contains Access Templates (ATs) that you can use to:

  • Delegate default security settings for your Active Roles server, covering both the various Active Roles components and the most common resource types managed in Active Roles.

  • Use the default security ATs to configure your own security ATs.

Built-in Security – General ATs

To delegate common Active Roles server security permissions for the resources and Active Roles components in your organization, use the Access Templates (ATs) in the root of the Configuration > Access Templates > Builtin container of the Active Roles Console.

Table 12: Built-in security Access Templates

Access Template

Description

AR Server Security - Active Directory Container

Grants the following permissions to ensure default security on the Active Directory container:

  • Read all domain properties.

  • Write the LDAP server properties of the domain.

  • List all Active Directory (AD) resources.

  • Read all properties of AD resources.

AR Server Security - Active Directory Container - Self

Grants the following permissions to ensure default security on the Active Directory container for the security principal self:

  • Read the membership status of users (that is, their Member Of attribute).

  • Read the object class of users (that is, their objectClass attribute).

AR Server Security - AD LDS (ADAM) Container

Grants the following permissions to ensure default security on the AD LDS (ADAM) container:

  • List all Active Directory Lightweight Directory Services (AD LDS) resources.

  • Read all properties of AD LDS resources.

  • Read all properties of crossRefContainers.

AR Server Security - Application Configuration Objects

Grants the following permissions to ensure default security on application configuration objects:

  • List and read all properties of Schema Cache containers.

  • List and read all properties of Enterprise Directory Service (EDS) application configuration objects.

  • List and read all properties of EDS display specifier containers.

  • List and read all properties of control access rights.

  • List and read all properties of attribute schemas.

  • List and read all properties of class schemas.

  • List and read all properties of all containers.

  • List and read all properties of display specifiers.

AR Server Security - Client Sessions Container

Grants the following permissions to ensure default security on the Client Sessions container:

  • Write the Client Version attribute of connected users.

  • Read the object class of connected users.

AR Server Security - Configuration Objects

Grants the following permissions to ensure default security on configuration objects:

  • List and read all properties of the Managed Domains container.

  • List and read all properties of the Managed Units container.

  • Read all properties of ATs.

  • List and read all properties of Policy Objects.

  • List and read all version information.

  • List and read all properties of the Configuration container.

  • List and read all properties of the change tracking log configuration.

  • Read all properties of the Active Roles Administration Service.

  • Read the edsvaXSLPolicyCheckReport attribute of the EDS policy check configuration.

  • List and read all properties of the EDS management history replication partner.

  • List and read all properties of the Management History Databases container.

  • List and read all properties of the policy configuration.

  • List and read all properties of the Azure Configuration container (that is, the edsAzureConfigurationContainer resource).

  • List and read all properties of Azure containers.

  • List and read all properties of Azure tenants.

AR Server Security - Export/Import Application

Grants the following permissions to ensure default security on the export/import application:

  • Read the edsvaDSMLProcessingInstructionsAsXML attribute of applications.

  • Read the edsvaAttributesExcludedFromImport attribute of applications.

  • Read the object class of applications.

AR Server Security - Managed Units Container

Grants the following permissions to ensure default security on the Managed Units container:

  • List all Managed Units.

  • Read all properties of Managed Units.

AR Server Security - Web Interface Configuration

Grants the following permissions to ensure default security on the Active Roles Web Interface configuration objects:

  • Read all Web Interface configuration data.

  • Read and write the personal settings of Web Interface users.

AR Server Security - Workflow Container

Grants read permission to the Workflow container and its sub-containers.

Special - Block Permission Inheritance

When assigned to an object, this AT prevents propagating inheritable permissions to the children of the object and other target objects as well.

When assigned to the Active Directory node, this AT blocks all inheritable AD permissions.

Computer Resources

The Configuration > Access Templates > Computer Resources container of the Active Roles Console contains Access Templates (ATs) that you can use to delegate computer resource management duties, such as:

  • Local users and groups.

  • Services.

  • Network file shares (for example, shared directories).

  • Printers and printing jobs.

This container has an Advanced sub-container, containing special ATs for computer resource management with highly granular permissions. For more information, see Computer Resources – General ATs.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级