The access control entries (ACEs) on each reseller organization control the type of access that each group is granted to the reseller organization. ACEs on reseller groups allow resellers to access their parent object (that is, the hosting organization) but access is restricted to their particular reseller organization. The permissions specified by the ACE restrict user accounts in each reseller group from viewing organizational units (OUs) other than those for their organization. The Remove Authenticated Users ACE is set on each reseller OU to prevent all users from reading the contents of the reseller OU, unless they are explicitly granted this right. This prevents a reseller's customers from viewing OUs other than their own.

ACEs for the AllUsers@reseller Group

The ACEs on the AllUsers@reseller group grant List Object permissions for the reseller OU.

The following table describes an ACE on the AllUsers@reseller group that restricts members of the AllUsers@reseller group from listing the contents of the reseller organization. This prevents user accounts within a particular customer organization from viewing other customer OUs within the reseller organization.

Table: List Object ACEs for the AllUsers@reseller Group

Allowed or denied to Permission Apply to

AllUsers@reseller

Special

This object only

Permission

Allow

-

List Object

ADS_RIGHT_DS_LIST_OBJECT

-

The following table describes ACEs for the AllUsers@reseller group that are applied to this group and any of its child objects. Users are granted List Object and Read permissions.

Table: ACEs for the AllUsers@reseller Group

Allowed or denied to Permission Apply to

AllUsers@reseller

Special

This object and all child objects

Permission

Allow

-

List Contents

ADS_RIGHT_DS_ACTRL_DS_LIST

-

Read All Properties

ADS_RIGHT_DS_READ_PROP

-

Read permissions

ADS_RIGHT_READ_CONTROL

-

ACEs for the AllCustomers@reseller Group

The following table represents an ACE that sets List Object permissions on the reseller organization. This ACE denies List Object permissions to the AllCustomers@reseller group for the reseller OU. This restriction prevents users within a particular customer organization from accessing customer OUs other than their own.

Table: ACEs for the AllCustomers@reseller Group

Allowed or denied to Permission Apply to

AllCustomers@reseller

Special

This object only

Permission

Allow

-

List Object

ADS_RIGHT_DS_LIST_OBJECT

-

ACEs for the Admins@reseller Group

The following table describes an ACE that grants permissions on the level of a reseller administrator to members of the Admins@reseller group. These permissions allow reseller administrators to write properties, modify permissions, and create and delete objects within the reseller OU.

Table: ACEs for the Admins@reseller Group

Allowed or denied to Permission Apply to

Admins@reseller

Special

This object and all child objects

Permission

Allow

-

Write all properties

ADS_RIGHT_DS_WRITE_PROPERTIES

-

Modify permissions

ADS_RIGHT_WRITE_DAC

-

All validated writes

ADS_RIGHT_DS_SELF

-

All extended writes

ADS_RIGHT_DS_CONTROL_ACCESS

-

Create all child objects

ADS_RIGHT_DS_CREATE_CHILD

-

Delete all child objects

ADS_RIGHT_DS_DELETE_ACCESS

-

ACEs for the CSRAdmins@reseller Reseller Group

The following table describes the ACE that grants members of the CSRAdmins@reseller group permissions on the level of a customer service representative within the reseller organization.

Table: ACEs for the CSRAdmins@reseller Group

Allowed or denied to Permission Apply to

CSRAdmins@reseller

Special

This object and all child objects

Permission

Allow

-

Write all properties

ADS_RIGHT_DS_WRITE_PROPERTIES

-

Modify permissions

ADS_RIGHT_WRITE_DAC

-

All validated writes

ADS_RIGHT_DS_SELF

-

All extended writes

ADS_RIGHT_DS_CONTROL_ACCESS

-

Create all child objects

ADS_RIGHT_DS_CREATE_CHILD

-

ACEs for the _private Container

The _private container is a container for special containers and groups required to implement Delegated Administration Console functionality. It contains the Remove Authenticated Users ACE to prevent all users from accessing the _private container, except those with explicitly authorization.