Active Role access template exclusion

Hi bhupeshkumar matwale 

There are a couple of different ways you could achieve what is needed here

1. Instead of linking your AT (Access Template) against the "Active Directory" or managed domain, selectively assigned against the OU's where the group that Access Management Team should be able to manage
2. Create a managed unit, which membership rules which include all the groups the Access Management Team should manage (you could also include an additional exclude rule if needed, but you should aim to use one membership rule). Once created, and happy with the groups listed, remove the existing ATL (Access Template Link), where you've linked you Access Management Team, and your AT against the domain, then create the link against the managed unit. This way any group in scope of the managed unit, will grant your Access Management Team permissions assigned by the AT. This is generally useful when you have the groups you do and dont want to be managed in the same OUs. Your membership rule will need to have something set (or already set) against the group to be managed, so you can seperate the two. Or explicity add the groups that should be managed.
3. If there are only a small number of groups that don't need to be managed, you could create another AT, which deny's the permissions, then link to the group you don't want to be managed by these users. I'm personally not a fan of using Deny permissions, when you can just not grant the permissions or assign the permissions to the objects in the first place.

Hope this helps

Stu

Thank you Stu for your answer.

1. Instead of linking your AT (Access Template) against the "Active Directory" or managed domain, selectively assigned against the OU's where the group that Access Management Team should be able to manage

Comment : There are 100's of OUs where groups are scattered so not feasible to link the AT against each OU.

 2. Create a managed unit, which membership rules which include all the groups the Access Management Team should manage (you could also include an additional exclude rule if needed, but you should aim to use one membership rule). Once created, and happy with the groups listed, remove the existing ATL (Access Template Link), where you've linked you Access Management Team, and your AT against the domain, then create the link against the managed unit. This way any group in scope of the managed unit, will grant your Access Management Team permissions assigned by the AT. This is generally useful when you have the groups you do and dont want to be managed in the same OUs. Your membership rule will need to have something set (or already set) against the group to be managed, so you can seperate the two. Or explicity add the groups that should be managed.

Comment : This is also not feasible as these team is entitle to manage all the groups in all domains. There are handful of groups less than 10 like Domain admin group or the server access groups they should be managing which we want to exclude.

3. If there are only a small number of groups that don't need to be managed, you could create another AT, which deny's the permissions, then link to the group you don't want to be managed by these users. I'm personally not a fan of using Deny permissions, when you can just not grant the permissions or assign the permissions to the objects in the first place.

Comment : I had thought of this and have created the AT with deny permission but these few groups are also in different OU's so not sure how to link the AT to those groups. I am thinking of creating the Managed Unit and adding those groups to the managed unit and link the AT.

Also we want the domain admin group member to add\remove users from these excluded groups.

Thank you Stu for your answer.

1. Instead of linking your AT (Access Template) against the "Active Directory" or managed domain, selectively assigned against the OU's where the group that Access Management Team should be able to manage

Comment : There are 100's of OUs where groups are scattered so not feasible to link the AT against each OU.

 2. Create a managed unit, which membership rules which include all the groups the Access Management Team should manage (you could also include an additional exclude rule if needed, but you should aim to use one membership rule). Once created, and happy with the groups listed, remove the existing ATL (Access Template Link), where you've linked you Access Management Team, and your AT against the domain, then create the link against the managed unit. This way any group in scope of the managed unit, will grant your Access Management Team permissions assigned by the AT. This is generally useful when you have the groups you do and dont want to be managed in the same OUs. Your membership rule will need to have something set (or already set) against the group to be managed, so you can seperate the two. Or explicity add the groups that should be managed.

Comment : This is also not feasible as these team is entitle to manage all the groups in all domains. There are handful of groups less than 10 like Domain admin group or the server access groups they should be managing which we want to exclude.

3. If there are only a small number of groups that don't need to be managed, you could create another AT, which deny's the permissions, then link to the group you don't want to be managed by these users. I'm personally not a fan of using Deny permissions, when you can just not grant the permissions or assign the permissions to the objects in the first place.

Comment : I had thought of this and have created the AT with deny permission but these few groups are also in different OU's so not sure how to link the AT to those groups. I am thinking of creating the Managed Unit and adding those groups to the managed unit and link the AT.

Also we want the domain admin group member to add\remove users from these excluded groups.

So: you have a small set of Active Directory groups that are not related in any way. I would suggest creating a relationship and then using Option 2 suggested by Stu.

Create an Active Roles Virtual Attribute linked to group objects. Stored, boolean syntax. Call it something like: edsvaExcludeFromGroupManagement.

Create a Managed Unit that populates all groups and excludes groups where edsvaExcludeFromGroupManagement is set to TRUE

Set this flag manually on each of the desired groups.

Delegate management permissions on the Managed Unit.

 Hi bhupeshkumar matwale 

I agree with Terrance.Crombie , with the information you've suplied above, you're going to be better having a managed unit, but I'd flip it on its head a bit.

If you're going to need to set a value on a group, it might be better to do that on the groups you don't want them to manage.

So the option here would be either as Terrance mention, 

1) create a VA linked to a group object, which is stored and of type boolean, then set it for groups that cannot be managed by the  Access Management Team

2) Identify an existing attribute/property of the group, which is already used (consistanly) which can have some value to exclude these grousp

Then create a managed unit, with some membership rule similar to the below LDAP (but changed for your purposes)

(&(objectCategory=group)(objectClass=group)(!(edsvaExcludeFromGroupManagement=true))

or

(&(objectCategory=group)(objectClass=group)(!(Description=ADMIN GROUP))

Note: carefully plan your query, 1) so you don't accidentally include the wrong groups, but also 2) try to ensure you're using exact queries, and if possible if an AD query, an indexed attribute,

Thank you very much for replies.

I created access template with deny permission and attached to managed unit and added groups manually as they are very handful.