ARS 7.2 permission model

Question

I need explanation of ARS 7.2 permission model - Administration Service account permissions/usage, override accounts permissions/usage and in the end how helpdesk operator permissions are delegated to in order, for instance him/her to be able to create/delete user accounts in certain OU and nothing else. If Administration Service account/override account is given domain admin rights (current state which is completely wrong from security perspective - someone did that long time ago) how that is reflected to helpdesk operators rights to do something? Some practical example would be nice to see too - I am newbie in ARS without anybody to ask here. Admin guide does not go into these details - just high level view I think.

Aidar.Karabalaev · Answer

Service Accounts: 
#1. AD01\svc-ars-service: runs ARS ADmin Service, accesses SQL\db. No DA. 
#2. AD01,02,03\svc-ars-proxy - per domain AD01,02,03, accesses managed domains - DA (or other elevated rights) - set inside the ARS app. 
 
I recommend to take ARS Knowledge Transfer course (5d) OneIdenitity PSO provides.