DRA and ExA extend your existing native Microsoft Windows security model. For example, DRA uses your existing group memberships to define default permissions. You can meet your specific needs by customizing and extending these permissions across the organization.
The default DRA and ExA security model provides built-in roles, AA groups, policy, and ActiveViews so that you can quickly incorporate DRA and ExA into your current security model. Through the default security model, your team can start using DRA out of the box with little or no additional configuration.
This section describes the key concepts about the default security model and illustrates these concepts with examples and scenarios. These examples and scenarios assume you have the DRA Admin role or the corresponding powers. Review these sections to learn about the following concepts:
How to extend your security model with DRA and ExA
How to use the built-in ActiveViews, AA groups, and roles
The default security model consists of several built-in ActiveViews, AA groups, and roles. These built-in components let you immediately manage domain objects and customize the Administration server. With these default definitions and rules, you can quickly start planning and implementing your enterprise management model.
You can use the available built-in components as the basis for your own security model. You can easily define ActiveViews and associate the built-in roles with AA groups you create to delegate administration powers within your enterprise. For information about implementing a security model, see Implementing Your Dynamic Security Model.
Built-in security provides immediate and secure access to your domains, objects, and policies. The built-in ActiveViews, AA groups, and roles allow you to extend your existing security model. You can start using DRA and ExA to manage your enterprise without redesigning your existing security.
These built-in components provide a starting point. Before you define an ActiveView, decide if you can use one of the built-in roles or if you need to define a new role. When you specify which objects the ActiveView includes, you can quickly associate AAs with roles or powers for this ActiveView. These built-in roles and ActiveViews allow you to begin work immediately, using the full capabilities of DRA and ExA.
For example, members of the Administrators group in the managed domain are automatically empowered with the DRA Administration role in the Objects Current User Manages as Windows Administrator ActiveView. This ensures that Microsoft Windows administrators can start DRA and ExA with the same permissions they have using native tools.
You can grant any group or user account all powers across the enterprise by delegating the following built-in security objects:
DRA Admins AA group
DRA Administration role
All Objects ActiveView
The following table describes the relationship between these security objects.
|
Object Name |
Object Type |
Description |
|---|---|---|
|
DRA Admins |
AA group |
Includes the user account or group you specified during setup |
|
DRA Administration |
Role |
Includes all powers |
|
All Objects |
ActiveView |
Includes all user accounts, groups, resources, contacts, OUs, and Microsoft Exchange mailboxes from all managed domains |
With this association, all members of the built-in DRA Admins AA group have all powers for all directory objects across the enterprise.
To grant members of the native Administrators group all powers in domains where they are Administrators, DRA provides the following built-in security objects:
Administrators from Managed Domains AA group
DRA Administration role
Objects Current User Manages as Windows Administrator ActiveView
The following table describes the relationship between these security objects.
|
Object Name |
Object Type |
Description |
|---|---|---|
|
Administrators from Managed Domains |
AA group |
All members of the native Administrators group for the managed domain |
|
DRA Administration |
Role |
Includes all powers |
|
Objects Current User Manages as Windows Administrator |
ActiveView |
Includes all user accounts, groups, resources, contacts, OUs, and Microsoft Exchange mailboxes in managed domains where the AA is an Administrator |
With this association, all members of the native Administrators group have all powers for accounts, resources, and mailboxes in the managed domain.
By default, DRA delegates the built-in ActiveViews and roles to specific AA groups. The following table lists the built-in ActiveViews and identifies the built-in AA groups and roles associated with each ActiveView.
|
Built-in ActiveView |
Built-in AA group |
Assigned role |
|---|---|---|
|
All Objects |
DRA Admins |
DRA Administration |
|
Objects Current User Manages as Windows Administrator |
Administrators from Managed Domains |
DRA Administration |
|
Administration Servers and Managed Domains |
DRA Configuration Admins |
Configure Servers and Domains |
|
DRA Policies and Automation Triggers |
DRA Policy Admins |
Manage Policies and Automation Triggers |
|
DRA Security Objects |
DRA Security Model Admins |
Manage Security Model |
|
SPA Users from All Managed and Trusted Domains |
SPA Admins |
Reset Password and Unlock Using SPA |
Built-in ActiveViews are the default ActiveViews provided by DRA and ExA. These ActiveViews represent all current objects and security settings. Thus, built-in ActiveViews provide immediate access to all your objects and settings as well as the default security model. You can use these ActiveViews to manage objects, such as user accounts and resources, or apply the default security model to your current enterprise configuration.
DRA and ExA provide several built-in ActiveViews that can represent your security model. The built-in ActiveView node contains the following ActiveViews:
Includes all objects in all managed domains. Through this ActiveView, you can manage any aspect of your enterprise. Assign this ActiveView to the administrator or to an AA who needs auditing powers across the enterprise.
Includes objects from the current managed domain. Through this ActiveView, you can manage user accounts, groups, contacts, OUs, and resources. Assign this ActiveView to native Administrators who are responsible for account and resource objects in the managed domain.
Includes Administration server computers and managed domains. Through this ActiveView, you can manage the daily maintenance of your Administration servers. Assign this ActiveView to AAs whose duties include monitoring the synchronization status or performing cache refreshes.
Includes all policy and automation trigger objects in all managed domains. Through this ActiveView, you can manage policy properties and scope, as well as automation trigger properties. Assign this ActiveView to AAs responsible for creating and maintaining your company policies.
Includes all security objects. Through this ActiveView, you can manage ActiveViews, AA groups, and roles. Assign this ActiveView to AAs responsible for creating and maintaining your security model.
Includes all user accounts from managed and trusted domains. Through this ActiveView, you can manage password of the users.
Access built-in ActiveViews to audit the default security model or manage your own security settings.
To access built-in ActiveViews:
In the left pane, select Delegation Management.
Under Common Tasks in the right pane, click Manage ActiveViews.
Select the appropriate ActiveView.
You cannot delete, clone, or modify built-in ActiveViews. However, you can incorporate these ActiveViews into your existing security model or use these ActiveViews to design your own model.
You can use built-in ActiveViews in the following ways:
Assign the individual built-in ActiveViews to the appropriate AA groups. This association allows the AA group members to manage the corresponding set of objects with the appropriate powers.
Refer to the built-in ActiveView rules and associations as guidelines towards designing and implementing your security model.
For more information about designing a dynamic security model, see Implementing Your Dynamic Security Model.
Built-in AA groups provide immediate access to a set of commonly used roles. You can extend your current security configuration by using these default groups to delegate power to specific user accounts or other groups.
Most built-in AA groups do not include any members. Use these groups to quickly let the appropriate people manage objects in the built-in ActiveViews. For example, if you add the AtlantaAdmins group to the DRA Security Model Admins AA group, members of the AtlantaAdmins group can create and modify all the rules that define the administration model. If you add the HoustonAdmins group to the built-in DRA Policy Admins AA group, members of the HoustonAdmins group can create and modify all policies, such as user account naming conventions. A member of the built-in DRA Policy Admins AA group can also create and modify automation triggers.
These groups are already associated with the corresponding built-in role so their members can perform common administration tasks. For example, members of the Administrators from Managed Domains AA group can manage objects in domains where they are administrators. Because built-in AA groups are part of the default security model, you can use the built-in AA groups to quickly delegate power and implement security.
DRA and ExA provide several built-in AA groups that you can use in your security model. The following list describes each built-in AA group and discusses the AAs typically associated with that group. For more information, see Understanding Built-in ActiveViews and Understanding Built-in Roles.
Allows AAs to manage all objects in your managed domain, including the Administration servers, and maintain your security model. By default, the DRA Admins group includes the account or group you specified during setup. Add AAs to this group if they are responsible for managing all aspects of your enterprise.
Allows AAs to manage all user accounts, groups, contacts, OUs, and resources for the domains in which they are administrators. By default, the Administrators from Managed Domains group includes the native Administrators group.
Allows AAs to configure the Administration servers and managed domains. This group also allows AAs to create custom user interface extensions and custom tools, manage file replication between Administration servers and DRA client computers, and specify clone exceptions to use when cloning user accounts. By default, the DRA Configuration Admins group includes the Administration server service account. Add AAs to this group if they are responsible for configuring and maintaining your Administration servers, such as performing accounts cache refreshes or server synchronization.
Allows AAs to manage policies and automation triggers for all managed domains. By default, the DRA Policy Admins group does not have members. Add AAs to this group if they are responsible for establishing and maintaining policies and automating workflows.
Allows AAs to manage security objects such as other AA groups, roles, and ActiveViews. By default, the DRA Security Model Admins group does not have members. Add AAs to this group if they are responsible for establishing and maintaining your security model.
Allows AAs to manage password of the users. It also allows AAs to reset passwords and unlock user accounts. By default, the SPA Admins group does not have members. Add AAs to this group if they are responsible for managing passwords.
Access built-in AA groups to audit the default security model or manage your own security settings.
To access built-in AA groups:
In the left pane, select Delegation Management.
Under Common Tasks in the right pane, click Manage Assistant Admins.
Select the appropriate AA group.
You cannot delete or clone built-in AA groups. However, you can incorporate the built-in AA groups into your existing security model or use these groups to design and implement your own model.
You can use built-in AA groups in the following ways:
Add user accounts or other groups to a built-in AA group. These new members are then empowered with built-in roles in the ActiveViews associated with the AA group.
Associate a built-in AA group with an ActiveView. This association allows the AA group members to manage a specific set of objects.
For more information about designing a dynamic security model, see Implementing Your Dynamic Security Model.
Built-in AA roles provide immediate access to a set of commonly used powers. You can extend your current security configuration by using these default roles to delegate power to specific user accounts or other groups.
These roles contain the powers required to perform common administration tasks. For example, the DRA Administration role contains all the powers required to manage objects. To use these powers, however, the role must be associated with a user account or an AA group and the managed ActiveView.
Because built-in roles are part of the default security model, you can use the built-in roles to quickly delegate power and implement security.
These built-in roles address common tasks you can perform through the DRA and ExA user interfaces. The following list describes each built-in role and summarizes the powers associated with that role.
Provides all the powers required to view properties of objects, policies, and configurations across your enterprise. This role does not allow an AA to modify properties. Assign this role to AAs responsible for auditing actions across your enterprise. Allows AAs to view all nodes except the Custom Tools node.
Provides all the powers required to view properties of managed resources. Assign this role to AAs responsible for auditing resource objects.
Provides all the powers needed to view user account and group properties, but no powers to modify these properties. Assign this role to AAs responsible for auditing account properties.
Provides all the powers required to clone an existing user account along with the account mailbox. Assign this role to AAs responsible for managing user accounts.
NOTE:To allow the AA to add the new user account to a group during the clone task, also assign the Manage Group Memberships role.
Provides all the powers required to modify computer properties. This role allows AAs to add, delete, and shut down computers, as well as synchronize domain controllers. Assign this role to AAs responsible for managing computers in the ActiveView.
Provides all the powers required to modify Administration server options and managed domains. Also provides powers necessary to configure and manage Office 365 tenants. Assign this role to AAs responsible for monitoring and maintaining the Administration servers.
Provides all the powers required to create a new contact, modify contact properties, or delete a contact. Assign this role to AAs responsible for managing contacts.
Provides all the powers required to create and delete a computer account. Assign this role to AAs responsible for managing computers.
Provides all the powers required to create and delete a group. Assign this role to AAs responsible for managing groups.
Provides all the powers required to create and delete shares and computer accounts, and clear event logs. Assign this role to AAs responsible for managing resource objects and event logs.
Provides all the powers required to create and delete a a mailbox. Assign this role to AAs responsible for managing mailboxes.
Provides all the powers required to create and delete a user account. Assign this role to AAs responsible for managing user accounts.
Provides all the powers required to manage Active Directory dynamic groups.
Provides all powers to an AA. This role gives a user the permissions to perform all administration tasks within DRA and ExA. This role is equivalent to the permissions of an administrator. An AA associated with the DRA Administration role can access all Directory and Resource Administrator nodes.
Provides all the powers required to execute saved advanced queries. Assign this role to AAs responsible for executing advanced queries.
Provides all the powers required to manage groups and group memberships, and view corresponding user properties. Assign this role to AAs responsible for managing groups or account and resource objects that are managed through groups.
Provides all the powers required to view user account properties, and to change passwords and password related properties. This role also allows AAs to disable, enable, and unlock user accounts. Assign this role to AAs responsible for Help Desk duties associated with ensuring users have proper access to their accounts.
Provides all the powers required to manage Microsoft Exchange mailbox properties. If you use Microsoft Exchange, assign this role to AAs responsible for managing Microsoft Exchange mailboxes.
Provides all the powers required to manage Active Directory Collectors, DRA Collectors, Office 365 Tenant Collectors, and Management Reporting Collectors for data collection. Assign this role to AAs responsible for managing reporting configuration.
Provides all the powers required to manage Active Directory Collectors, DRA Collectors, Management Reporting Collectors, and database configuration for data collection. Assign this role to AAs responsible for managing reporting and database configuration.
Provides all the powers required to create, manage, and execute advanced queries. Assign this role to AAs responsible for managing advanced queries.
Provides all the powers required to create, manage, and excecute custom tools. Assign this role to AAs responsible for managing custom tools.
Provides all the powers required to create and manage clone exceptions.
Provides all the powers required to manage all properties for a computer account. Assign this role to AAs responsible for managing computers.
Provides all the powers required to manage database configuration for Management reports. Assign this role to AAs responsible for managing reporting database configuration.
Provides all the powers required to manage Microsoft Exchange dynamic distribution groups.
Provides all the powers required to manage security and rights for Microsoft Exchange mailboxes. If you use Microsoft Exchange, assign this role to AAs responsible for managing Microsoft Exchange mailbox permissions.
Provides all the powers required to view, enable, or disable the email address for a group. Assign this role to AAs responsible for managing groups or email addresses for account objects.
Provides all the powers required to designate who can view and modify Microsoft Windows group memberships through Microsoft Outlook
Provides all the powers required to add and remove user accounts or groups from an existing group, and view the primary group of a user or computer account. Assign this role to AAs responsible for managing groups or user accounts.
Provides all the powers required to manage all properties for a group. Assign this role to AAs responsible for managing groups.
Provides all the powers required to manage mailbox move requests.
Provides all the powers required to define policies and automation triggers. Assign this role to AAs responsible for maintaining company policies and automating workflows.
Provides all the powers required to manage printers, print queues, and print jobs. To manage print jobs associated with a user account, the print job and the user account must be included in the same ActiveView. Assign this role to AAs responsible for maintaining printers and managing print jobs.
Provides all the powers required to manage resources associated with specific user accounts. The AA and the user accounts must be included in the same ActiveView. Assign this role to AAs responsible for managing resource objects.
Provides all the powers required to manage all properties for a mailbox. Assign this role to AAs responsible for managing mailboxes.
Provides all the powers required to define the Administration rules, including ActiveViews, AAs, and roles. Assign this role to AAs responsible for implementing and maintaining your security model.
Provides all the powers required to manage services. Assign this role to AAs responsible for managing services.
Provides all the powers required to manage shared folders. Assign this role to AAs responsible for managing shared folders.
Provides all the powers required to create and manage temporary group assignments. Assign this role to AAs responsible for managing groups.
Provides all the powers required to generate and export Activity Detail reports for users, groups, contacts, computers, organizational units, powers, roles, ActiveViews, containers, published printers, and Assistant Admins. Assign this role to AAs responsible for generating reports.
Provides all the powers required to modify the dial in properties of user accounts. Assign this role to AAs responsible for managing user accounts that have remote access to the enterprise.
Provides all the powers required to view, enable, or disable the email address for a user account. Assign this role to AAs responsible for managing user accounts or email addresses for account objects.
Provides all the powers required to reset the password, specify password settings, and unlock a user account. Assign this role to AAs responsible for maintaining user account access.
Provides all the powers required to manage all properties for a user account, including Microsoft Exchange mailbox properties. Assign this role to AAs responsible for managing user accounts.
Provides all the powers required to create and manage virtual attributes. Assign this role to AAs responsible for managing virtual attributes.
Provides all the powers required to change the WTS environment properties for a user account. Assign this role to AAs responsible for maintaining the WTS environment or managing user accounts.
Provides all the powers required to change the WTS remote control properties for a user account. Assign this role to AAs responsible for maintaining WTS access or managing user accounts.
Provides all the powers required to change the WTS session properties for a user account. Assign this role to AAs responsible for maintaining WTS sessions or managing user accounts.
Provides all the powers required to change the WTS terminal properties for a user account. Assign this role to AAs responsible for maintaining WTS terminal properties or managing user accounts.
Provides all the powers required to manage organizational units. Assign this role to AAs responsible for managing the Active Directory structure.
Provides all the powers required to modify the name and description of a group. Assign this role to AAs responsible for managing groups.
Provides all the powers required to modify the name and description of a user account. Assign this role to AAs responsible for managing user accounts.
Provides all the powers required to upload, delete and modify file information. Assign this role to AAs responsible for replicating files from the primary Administration server to other Administration servers in the MMS and the DRA client computers.
Provides all the powers to reset the local administrator account password and view the name of the computer administrator. Assign this role to AAs responsible for managing the administrator accounts.
Provides all the powers required to reset and modify passwords. Assign this role to AAs responsible for password management.
Provides all the powers required to use Secure Password Administrator to reset passwords and unlock user accounts.
Provides all the powers required to reset Unified Messaging PIN properties for user accounts.
Provides all the powers required to modify properties of managed resources, including resources associated with any user account. Assign this role to AAs responsible for managing resource objects.
Provides all the powers required to manage resource mailboxes.
Provides all the powers required to modify basic properties, such as telephone numbers, of your own user account. Assign this role to AAs to allow them to manage their own personal information.
Provides all the powers required to pause, start, resume, or stop a service, start or stop a device or printer, shut down a computer, or synchronize your domain controllers. Also provides all the powers required to pause, resume, and start services, stop devices or print queues, and shut down computers. Assign this role to AAs responsible for managing resource objects.
Provides all the powers required to add a user to or remove a user from groups found in a template account, including the ability to modify the user's properties while transforming the user.
Provides all the powers required to manage user accounts, associated Microsoft Exchange mailboxes, and group memberships. Assign this role to AAs responsible for managing user accounts.
Provides all the powers required to view AD collectors, DRA collectors, management reporting collectors, and database configuration information.
Provides all the powers required to view properties of a computer account. Assign this role to AAs responsible for auditing computers.
Provides all the powers required to view properties for a group. Assign this role to AAs responsible for auditing groups.
Provides all the powers required to view properties for a resource mailbox. Assign this role to AAs responsible for auditing resource mailboxes.
Provides all the powers required to view properties for a user account. Assign this role to AAs responsible for auditing user accounts.
Provides all the powers required to manage Windows Terminal Server (WTS) properties for user accounts in the ActiveView. If you use WTS, assign this role to AAs responsible for maintaining the WTS properties of user accounts.
If you have licensed the File Security Administrator product, additional built-in roles are available. For more information about File Security Administrator, see the User Guide for File Security Administrator.
Access built-in roles to audit the default security model or manage your own security settings.
To access built-in AA groups:
In the left pane, select Delegation Management.
Under Common Tasks in the right pane, click Manage Roles.
Select the appropriate role.
You cannot delete or modify built-in roles. However, you can incorporate the built-in roles into your existing security model or use these roles to design and implement your own model.
You can use built-in roles in the following ways:
Associate a built-in role with a user account or AA group. This association provides the user or AA group members with the appropriate powers for the task.
Clone a built-in role and use that clone as the basis for a custom role. You can add other roles or powers to this new role and remove powers originally included in the built-in role.
For more information about designing a dynamic security model, see Implementing Your Dynamic Security Model.