Assigning Access Template - Prevent "Propagate permissions to Active Directory"

Hi,

When linking Access Templates to AD locations (in order to delegate Active Roles permissions to support teams), I'm always a bit worried that someone in my AR admin team (especially the new kids on the block) accidentally enable the option for "Propagate permissions to Active Directory" which appears on the final page of the Delegation Wizard.

Is it perhaps possible to make that option inaccessible to everyone, thereby forcing them to stick with AR-only permissions? Can I somehow revoke access to that option?

If not, and someone accidentally adds a DENY to the native AD structure - how can we get permissions back? Just by taking ownership + inheriting default permissions down again like you would with a traditional File/Folder structure? Is there a rollback or undo at that level?

One of the major reasons for deploying AR was to keep native AD delegations to a minimum; would be unfortunate if we only make things worse by accidentally applying that "Propagate" option without noticing..

Thanks; regards,

Michiel

Top Replies

Parents

0 Michiel over 2 years ago

Sorry, just to get back to this - how should I interpret the starting condition for this Workflow? Should I monitor "Modify properties" or using different condition? This is referring to the below screen:

Sorry, always still a bit unsure when it comes to Workflows - they're just too powerful for me ;-)
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest over 2 years ago in reply to Michiel

You want to select Modify Properties here and then specify the edsaIsSynchronizedWithAD property as the one to "watch" for.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Stu.Pollock over 2 years ago in reply to JohnnyQuest

You might need to have another workflow for creation of Access Template Links, where it is triggered IF edsaIsSynchronizedWithAD is set.

If you use the "Manager can update membership list" and/or "Secondary Owners can update membership list", you might need to exclude that from the workflows (based on the OOTB Access Template it uses), as both of these checkboxes cause the permissions to be sync'd to AD.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Stu.Pollock over 2 years ago in reply to JohnnyQuest

You might need to have another workflow for creation of Access Template Links, where it is triggered IF edsaIsSynchronizedWithAD is set.

If you use the "Manager can update membership list" and/or "Secondary Owners can update membership list", you might need to exclude that from the workflows (based on the OOTB Access Template it uses), as both of these checkboxes cause the permissions to be sync'd to AD.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 JohnnyQuest over 2 years ago in reply to Stu.Pollock

Stu.Pollock I don't believe that the "Manager can update..." functionality leverages that VA. As far as I know, it's a separate built-in operation in the Admin service. I did some investigation of this for a client a few years ago because at the time, I didn't even realize that write-through was occurring when you check the "Manager can update..." box.

The VA I cited is a persistent flag associated with an AT - recall that you can see when it is "on" when you look at the linked ATs in the "advanced" details pane (i.e. lower right of the AR MMC).
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Stu.Pollock over 2 years ago in reply to JohnnyQuest

Thanks JohnnyQuest ,

I did something with it awhile ago, but it escapes me now. Its however something to bear in mind.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel