Re: AzMan/ADAM store permissions

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 10 Jul 2009 12:33:00 -0500

Yes, although you can't use the actual Adminstrators role group for this. You'd need to create your own group and delegate specific permissions in ADAM. Essentially, you want to ensure that you grant the appropriate create and modify permissions without delete or delete tree. Don't give "full control".

Permissions in ADAM use the same model as AD which is very granular. However, it can be a little confusing figuring out what exactly you need to grant to get the behavior you want. Testing with test objects you create is a good idea. :)

Use the ACL editor in LDP to get the most control/visibility into what you are actually setting.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"<M>" <m_dinnis@xxxxxxxxxxx> wrote in message news:868ccae6-29d1-41c4-a26a-156748adce89@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Firstly, I'm not sure this is the best place to be asking this
question, so if you know of a better location then please let me know.

I've recently configured an ADAM instance to hold an AzMan application
store to authorise my users to perform specific actions within my web
app. This works just great and everyone is happy. That's the good
news. The bad news is that whilst managing the store locally on my PC
I decided (based on lack of information) to delete the store rather
than close it through my AzMan snap-in. The result? Not entirely
unexpected as it deleted the store from ADAM and hence stopped all
authorisation requests. It took me an hour to rebuild the store as
backups were not what they should have been (that's another issue).

So on to my question: Is it possible to grant some administrator users
access to a store, but amend their permissions so that they can not
delete it? I would envisage that another administator user still
remain defined who does have permissions, but that this account would
be a special setup and not a day to day account.

Regards,

mike

Prev by Date: Re: Problem with changepassword webcontrol
Next by Date: create setup file for webapplication with product key & check licence file
Previous by thread: Problem with changepassword webcontrol
Next by thread: create setup file for webapplication with product key & check licence file
Index(es):
- Date
- Thread

Relevant Pages

Re: ADAM - SSO and provisioning considerations
... install an OU, do LDAP bind's to AD for authentication, and used some ... The above illustrates why you don't need ADAM. ... store for your identity store. ... they are all in the customer's identity store. ...
(microsoft.public.windows.server.active_directory)
Re: Failed to map the path /App_GlobalResources/
... The solution is to set security permissions for the aspnet user on ... Adam Tuliper ... > |> Microsoft Online Support ...
(microsoft.public.dotnet.framework.aspnet)
Re: ADAM and LDAP question
... My instincts tell me you really can use either store and it will work. ... does seem a little bit more of a natural fit though. ... to hear if you end up using ADAM for the data store for this, ... We used Admin account for everything. ...
(microsoft.public.windows.server.active_directory)
Re: ADAM and the Reader Role
... My guess is that your ADAM users don't actually have read permissions on ... You don't need read permissions to be able to authenticate. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... readers role and you have a lot of users, that group may become to large ...
(microsoft.public.windows.server.active_directory)
Re: Exmerge Help
... As a workaround...Remove deny from Receive As and Send As permissions at the Organization Level on Domain Admins and Enterprise ... GROUP/MAILBOX STORE '. ... All mailboxes will be processed, ...
(microsoft.public.exchange2000.general)