Modifying role assignments

To modify role assignments, users must have the following permissions:

Select this target object To apply these permissions

Authorization

Click the Properties tab, then select Allow for the following properties:

  • Write msDS-AzApplicationData

msDS-AzRoleObjectContainer

This object is listed under a globally unique identifier (GUID) for the Authorization object.

On the Object tab, select Allow to apply the following permissions to this object:

  • Create msDS-AzRole objects

msDS-AzRoleObjectContainer/CN=CRA_guid

This object is listed under a globally unique identifier (GUID) for the Authorization object and a unique identifier for the role assignment.

Click the Properties tab, then select Allow for the following properties to allow changes to the assigned user or groups:

  • Read Name
  • Read name
  • Allow Delete

Click the Properties tab, then select Allow for the following properties to allow changes to the available time for a role assignment:

  • Read Name
  • Read name
  • Read msDS-AzApplicationData
  • Write msDS-AzApplicationData