• State Suggested Answer
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 61 subscribers
  • Views 3095 views
  • Users 0 members are here
Options
Related

Assigning Access Template - Prevent "Propagate permissions to Active Directory"

Michiel
over 2 years ago

Hi,

When linking Access Templates to AD locations (in order to delegate Active Roles permissions to support teams), I'm always a bit worried that someone in my AR admin team (especially the new kids on the block) accidentally enable the option for "Propagate permissions to Active Directory" which appears on the final page of the Delegation Wizard. 

Is it perhaps possible to make that option inaccessible to everyone, thereby forcing them to stick with AR-only permissions? Can I somehow revoke access to that option?

If not, and someone accidentally adds a DENY to the native AD structure - how can we get permissions back? Just by taking ownership + inheriting default permissions down again like you would with a traditional File/Folder structure? Is there a rollback or undo at that level?

One of the major reasons for deploying AR was to keep native AD delegations to a minimum; would be unfortunate if we only make things worse by accidentally applying that "Propagate" option without noticing..

Thanks; regards,

Michiel

Parents Reply Children
  • 0 over 2 years ago in reply to JohnnyQuest

    You might need to have another workflow for creation of Access Template Links, where it is triggered IF edsaIsSynchronizedWithAD is set. 

    If you use the "Manager can update membership list" and/or "Secondary Owners can update membership list", you might need to exclude that from the workflows (based on the OOTB Access Template it uses), as both of these checkboxes cause the permissions to be sync'd to AD.

  • 0 over 2 years ago in reply to Stu.Pollock

     I don't believe that the "Manager can update..." functionality leverages that VA.  As far as I know, it's a separate built-in operation in the Admin service.  I did some investigation of this for a client a few years ago because at the time, I didn't even realize that write-through was occurring when you check the "Manager can update..." box.

    The VA I cited is a persistent flag associated with an AT - recall that you can see when it is "on" when you look at the linked ATs in the "advanced" details pane (i.e. lower right of the AR MMC).

  • 0 over 2 years ago in reply to JohnnyQuest

    Thanks  , 

    I did something with it awhile ago, but it escapes me now. Its however something to bear in mind.