You must set permissions for each user and for each task you want a user to perform. Refer to GP Repository Requirements to learn the levels in the GP Repository hierarchy and where you need to set permissions for a user to perform a particular task.
The GPA Console has a specialized node called GPR Security Management that allows you to manage users and their permissions, mainly through the creation and maintenance of roles.
You can assign several roles to GPA users. Each role corresponds to one of the job functions a user performs in GPA. Each role defines the security permissions required to perform the tasks in the GP Repository appropriate to the GPA‑related job function.
GPA provides the following roles:
Has permission to import GPOs from Active Directory into the GP Repository and synchronize ADMX files from the central store.
Has permission to export GPOs from the GP Repository to Active Directory and export ADMX files to the central store.
Has permission to send for approval and modify GPOs in the GP Repository and add ADMX files.
Has permission to approve, reject, or unapprove GPOs for export from the GP Repository to Active Directory. This role also has permissions to approve or unapprove ADMX files for export from the GP Repository to the central store.
Has permission to modify GPOs in the GP Repository to synchronize controlled GPOs with master GPOs.
Has permissions to set users and groups to mask or lock the GPOs in the GP repository.
Assigning a role to a GPA user configures the security settings of the role for the GPA user. The advantage of assigning roles to GPA users is that you do not have to configure security settings individually for each task a particular GPA‑related job function requires. For example, assigning a GPA user to the GPO Editor role configures all the permissions that the user needs to edit GPOs in the GP Repository.
GPA roles are specific to a GP Repository domain. For example, if you want a GPA user to be a GPO Editor for more than one GP Repository domain, you must assign the user to the GPO Editor role in each domain.
GPO roles are also specific to categories and GPOs in a domain. When you assign a role to a GPA user, you must also define the categories and GPOs to which the role applies.
To assure a secure and controlled GPA workflow, assign different roles to different users. Assigning different roles to different users prevents any one user from having broad permissions and enforces a system of checks and balances. For example, if you assign the GPO Editor, GPO Approver, and GPO Exporter roles to separate people, you prevent one person from being able to both modify and implement GPOs in your Active Directory environment. You can also ensure that you properly test and verify any GPO changes before you implement them.
Before you can create and assign roles, you need to first create an ActiveView to define the scope where the permissions are applied, which can include categories, domains, and GPOs.
The ActiveViews node is located in the GPR Security Management container under the domain node of the GP Repository. From this node you create new active views for the GP Repository, so you can define permission roles and assign those roles to users or groups.
To create a new ActiveView:
Log on to a GPA Console computer as a member of the GPA_REPOSITORY_MANAGEMENT group.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository, and then expand the domain in which you want to assign a user or group to a role.
Expand GPR Security Management.
Right-click ActiveViews, and select New ActiveView.
In the New ActiveView dialog box, type a name and description for the active view.
Do one or more of the following, as required:
Click Add Category, expand the server tree, select a domain or category node, and click OK.
Click Add GPO, expand the server tree, select a GPO, and click OK.
IMPORTANT:If you want to exclude a particular scope, then select Rule as Exclude. If you want to include a particular scope, then select Rule as Include and choose the required Inheritance (Objects in Nested Categories or Only GPOs in Category).
Add additional categories, domains, and GPOs.
Click OK in the New ActiveView dialog box.
GPA comes with a set of built-in roles that should address common GPO tasks. If you need to extend these roles, or create new ones, you can use the GPR Security Management feature to customize security settings that more precisely define the permissions that apply to a user or group.
To create a new role:
Log on to a GPA Console computer as a member of the GPA_REPOSITORY_MANAGEMENT group.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository, and then expand the domain in which you want to assign a user or group to a role.
Expand GPR Security Management and then expand Roles.
Right-click Custom Roles and select New Role.
Use the New Role window to name the role and assign the permissions that the role should grant.
You assign roles to GPA users using the GP Repository’s GPR Security Management node, which assigns a role to one or more users or groups and also defines the domains, categories, and GPOs in a GP Repository to which the role applies.
To assign roles to users or groups using the GPR Security Management node:
Log on to a GPA Console computer as a member of the GPA_REPOSITORY_MANAGEMENT group.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository, and then expand the domain in which you want to assign a user or group to a role.
Expand GPR Security Management, and right-click Assignments.
Select New Assignment.
Use the New Assignment window to assign roles to users or groups on ActiveView.
To assigned to an ActiveView:
Log on to a GPA Console computer as a member of the GPA_REPOSITORY_MANAGEMENT group.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP_Repository, and then log into database.
Expand GPR Security Management, expand activeview and select the required ActiveView want to view the associated assignment, a user or group to a role.
Also, when the Assignment container is expanded and required Assignment is selected, in the right pane of the assignment you can view the linked ActiveView.
To view the roles assigned to the current user:
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository, and then right-click the repository node.
Select Show Your Assigned Roles.