MPS Delegation Model

A key component of the MPS Delegation Model is support for roles based access checking. There are a few different ways in which this access checking is implimented in MPS however the general idea is that a check is made on behalf of the authenticated user to ensure the following

The MPS User Roles

As a general rule, roles based access checking in MPS Namespaces is only performed on the top level roles defined below. The more specific roles will be checked through additional controls in place through AD ACL'ing.

UI Roles

To take the concept of User roles a bit further and to aid in the development of Control Panels, Delegated Admin Consoles ect. HMC exposes a feature called UI roles. This is exposed through the GetCallerUIRoles procedure found in both the Managed and Hosted Active Directory namespaces. The idea is that if a developer knows the Role of a calling user, they can easily calculate which actions should be exposed to that user at any given level in an Active Directory hierarchy.

User Role calculation is performed as follows: There is a container under the "hosting" OU _Prvate container called WatUIPermissions. The WatUIPermissions container contains 8 groups, obscurely named 0000, 0100, 0500, 1000, 2000, 5000, and 6000 these groups are created during the creation of the "hosting" OU by the procedure Managed Helpers::InitializeADForHosting. The groups are configured as follows:

GetCallerUIRoles attempts to read the DACL on each of these groups. Only administrators and group members are allowed to read the DACL (read permissions) on a group object. So this becomes an effective and effecient way to determine whether a calling user has membership in one of the roles indicated by the group. Only the groups that the user can read the DACL on will be returned in the list of uiRoles.

Using Roles Based Access Checking

Each procedure has the specific minimum role that can perform a given action. The following is the general guidelines for role based access checking: