Active Roles Access Template related issue

Hi Team,

   I have created an MU(Managed unit), TestMU with list of users in it. I have try to Delegate control of this MU(TestMU) with Access template Read/Write group members and assigned another group GroupA as Trustee. But to check this feature working, I have login to webconsole as user from GroupA, but I am not able to view any contents of Active Directory (AD). It shows "no contents to display". So please let us know how to check the functionality of using Access template to a particular group or ou. Guide us where we went wrong.

Thanks

Vadivel

  • By default, a user has no rights at all in ARS.  That means that they cannot even read any objects.  You have granted GroupA the ability to manage certain groups, but they do not have the ability to "Read" the domain structure down to the OU(s) that contain(s) the groups that they want to manage.  You will need to grant GroupA read rights.  The simplest way to accomplish this is to grant "All objects - Read all properties" to GroupA at the "Active Directory" level of ARS.  If you choose, you can be more selective with the read rights by only granting them where they are specifically needed.  This can get quite complicated depending upon your OU structure, and I'm assuming that's why you're using a managed unit.

    You could also choose to grant "Read" rights to the actual managed unit and have the users from GroupA manage their groups directly from the managed unit.

  • it's a nice feature but thre is no real guidance / best practice on how to delegate rights in ARS.   I cannot view my profile to see all the posts I've made but I seem to remember posting a rough guide on how to do this and I plan at some point to write a whole article on doing it.  I keep putting it off but I think it is worth doing as this question is posed quite often.

  • Hi Jason,

       Let me explain you my requirement in simple terms. I have an active directory(AD) with contains different groups in an OU. Now I need to configure ARS in such a way that a particular group( ex. GroupA) in which addition oe deletion of users and other actions on this group should be performed by only members of an another group (ex. GroupX). To make it more simple , only users present in GroupX should able to Add/remove users from GroupA. Let me know what is the easily possible way in ARS to configure this. I am new to ARS and I have gone through the ARS user guide which guides me to use Access template for my case.

    Thanks in advance

    Vadivel

  • Hi Jason,

       Thanks for your reply. I have added the "All objects - Read all properties" to GroupA at the "Active Directory" level of ARS as below. I have selected GroupA and select properties and window opens. Click on Administration Tab-->Access Template links-->click on Delegation --> Add "All objects - Read all properties" at the "Active Directory" level. Now I am able to see the same permisiion in the users present in this GroupA. Now I try to login as user from GroupA, but still I am not able to view any objects present in AD after login. Please guide me where I went wrong.

    Thanks

    Vadivel

  • Hi Jason,

       Thanks for your reply. I have added the "All objects - Read all properties" to GroupA at the "Active Directory" level of ARS as below. I have selected GroupA and select properties and window opens. Click on Administration Tab-->Access Template links-->click on Delegation --> Add "All objects - Read all properties" at the "Active Directory" level. Now I am able to see the same permisiion in the users present in this GroupA. Now I try to login as user from GroupA, but still I am not able to view any objects present in AD after login. Please guide me where I went wrong.

    Thanks

    Vadivel

  • From your description, it sounds like you have delegated the permissions correctly. To be sure, try the following:

    Right-click the "Active Directory" node

    Choose "Delegate Control"

    Click "Add"

    Click "Next" (this is the welcome screen, you may not see this)

    Click "Add"

    Enter the name of GroupA and click OK

    Click "Next"

    Click the checkbox next to the access template "All Objects - Read All Properties"

    Click "Next"

    Make sure that both "This directory object" and "Child objects of the directory object" are checked

    Click "Next"

    Click "Next"

    Click "Finish"

    Login with a user account that is a member of GroupA. This should give users in GroupA the ability to view all objects within the scope of ActiveRoles.

    It is also quite helpful to choose "View" -> "Advanced details pane." This will show you all of the delegations that exist on the object that is selected.

  • Don't forget to document what you did too although ARS does a pretty good job of doing this for you when you want to check but a documented design is a good place to start before you start delegating away.

    Some gotchas here are you must give the user group read access to the users if you want to add them to a group otherwise when you go to select users to add you won't see any.  Attached is a documented design I did recently hopefully self explanatory and it shows the policies I applied as well.  The document obviously discussed exactly what the templates were and which user groups were linked etc.

    At the top level you only need to give access to see the domain object then at the domain user - read all properties then further down you can give rights to the group objects.  Alternatively you can delegate rights to Managed units.  In the design below the SD will not see any OUs other than AD Management so it's a way of making AD look less cluttered with objects they don't manage.  The exmple even shows multiple domains being delegated.

    19-07-2013 16-39-55.jpg

  • Hi Jason,

       Thanks for the reply. Now going little further to real time scenarios,I have following requirements.

    1. I need to fetch the records from AD based on some attribute values. E.g: All the users with first name begin with "A" . I guess I can do this using creation of managed units to pull users like this. But is it the right approach or do we have any other approach through ARS.

    2. secondly, For example, I have corporate standard where all users in GroupA should have their city starts with "C". Now the AD user objects already exists are not comply with this standard, so now i have deployed ARS for this purpose and I need to fetch all users in groupA whose city name doesnt starts with "C". It should be displayed in screen. How to achieve this.

  • Hi Lee Andrews,

       Thanks for the reply. Now going little further to real time scenarios,I have following requirements.

    1. I need to fetch the records from AD based on some attribute values. E.g: All the users with first name begin with "A" . I guess I can do this using creation of managed units to pull users like this. But is it the right approach or do we have any other approach through ARS.

    2. secondly, For example, I have corporate standard where all users in GroupA should have their city starts with "C". Now the AD user objects already exists are not comply with this standard, so now i have deployed ARS for this purpose and I need to fetch all users in groupA whose city name doesnt starts with "C". It should be displayed in screen. How to achieve this

    1. Managed units seem like the best way to accomplish this goal with ARS.  You may want to consider Quest Reporter if you have it.
    2. Create a provisioning policy that requires the city attribute to start with C (see below for more details).  The policy can only be applied to containers like domains, OUs, or managed units (you cannot apply it directly to a group).  In order to make the policy apply only to users in GroupA, you have a two choices. 
      1. Put the users that belong to GroupA in a separate OU and apply the policy to that OU.
      2. Create a managed unit with GroupA as its members and apply the policy to that managed unit.

    Once the provisioning policy has been applied, right-click it and choose "Check policy."  You will be shown all objects that do not comply with the policy.

    Creating the provisioning policy:

    Go to "Configuration -> Policies -> Administration" in the ARS MMC interface

    Right-click "Administration" and choose "New -> Provisioning Policy"

    Click "Next"

    Give the policy a name and click "Next"

    Select "Property Generation and Validation" and click "Next"

    Click "Select"

    Choose the "City" attribute and click "OK"

    Click "Next"

    Select the checkbox next to "'City' must begin with <value>"

    Click the blue link "<click to add value>"

    Enter "C" (without the quotation marks)

    Click OK

    Click "Next"

    Click "Next"

    You can add the OU or Managed Unit to apply this policy here, or wait until later

    Click "Next"

    Click "Finish"