Defining rights and roles in the authorization store

To configure rights, roles, and role assignments, users must have the following permissions for the authorization store:

Select this target object To apply these permissions

Authorization

On the Object tab, select Allow to apply the following permissions to this object and all child objects:

  • List contents
  • Read all properties
  • Write all properties

msDS-AzApplication

This object is listed under a globally unique identifier (GUID) for the Authorization object. For example:

CN=cab186af-61a0-4d54-a0dd...

On the Object tab, select Allow to apply the following permissions to this object (listed as CN=GUID under the Authorization object) and all child objects:

  • Create and delete msDS-AzOperation objects
  • Create and delete msDS-AzTask objects
  • Create and delete msDS-AzRole objects
  • Create msDS-AzScope objects

Note You must grant these permissions on the CN=GUID object if you are granting permissions manually with ADSI Edit. The proper permissions are set automatically for the users when you delegate administrative tasks for a zone.

Configuring authorization in classic zones

Unlike hierarchical zones, authorization is an optional feature in classic zones. You must be an administrator or the user who created a classic zone to initialize the authorization store in Active Directory, identify the users who should be allowed to configure rights, roles, and role assignments, and enable or disable the enforcement of the rights and role assignments you have configured.

To update the list of users and groups who are allowed to configure DirectAuthorize rights and roles, you must have the Modify permissions right on the Authorization container under the classic zone container applied to this object and all child objects. If you have this permission, you can click Add to add Windows users and groups to the list of users and groups who can configure rights and roles. If you have the Modify permissions right, you can also select a user or group in the list and click Remove a user or group from the list.