The access control entries (ACEs) specified for each customer organizational unit control the type of access to this organization that each group is granted. ACEs on all customer groups allow them to access their parent object, the reseller organization, but restrict access to the reseller organization. ACEs on the customer organization grant different permissions to different groups within the customer organization.
This topic explains the ACEs on the following objects in each customer organization:
ACE for the customer organizational unit
The following ACE is set on each customer organizational unit:
Remove Authenticated Users
This ACE prevents all user accounts from reading the contents of the customer organizational unit, unless they are explicitly granted this right.
ACEs for the allusers@customer_organization group
The ACEs on the allusers@customer group grant List Object permissions for the customer organizational unit to end users.
The following table describes the ACE for the allusers@customer group that control this group’s access to the customer organizational unit. This ACE grants all members of this group List Object permissions to the customer organizational unit and applies only to the customer organizational unit.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| allusers@customer_organization | Special | This object only |
| Permission | Allow | |
| List Object | ADS_RIGHT_DS_LIST_OBJECT |
The following table describes the ACEs for the allusers@customer_organization group that govern permissions to the customer organization by end users. These ACEs are applied to this group and any of its child objects. They grant List Object and Read permissions to all members of this group.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| allusers@customer_organization | Special | This object and all child objects |
| Permission | Allow | |
| List contents | ADS_RIGHT_DS_ACTRL_DS_LIST | |
| Read all properties | ADS_RIGHT_DS_READ_PROP | |
| Read permissions | ADS_RIGHT_READ_CONTROL |
User ACEs for the admins@customer_organization group
The following two tables describe ACEs that govern access to user objects and any of their child objects by organization administrators. These ACEs specify permissions that members of the admins@customer_organization group have for user objects.
This table describes the privileges that allow members of the admins@customer_organization group to create and delete user objects within the customer organization.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| admins@customer_organization | Special | This object and all child objects |
| Permission | Allow | |
| Create user objects | ADS_RIGHT_DS_CREATE_CHILD | |
| Delete user objects | ADS_RIGHT_DS_DELETE_CHILD |
The following table describes an ACE that governs access to user objects. This ACE allows organization administrators full control over user objects.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| admins@customer_organization | Full control | User object |
| Permission | Allow | |
| All items | ADS_RIGHT_GENERIC_ALL |
Group ACEs for admins@customer_organization group
The following two tables describe the ACEs that give members of the admins@customer_organization group permissions on group objects within their organization.
This ACE allows by customer organization administrators to create and delete groups within their organization.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| admins@customer_organization | Create/delete group objects | This object and all child objects |
| Permission | Allow | |
| Create group object | ADS_RIGHT_DS_CREATE_CHILD | |
| Delete group object | ADS_RIGHT_DS_DELETE_CHILD |
The following table describes an ACE that gives organization administrators full control over group objects within their organization.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| admins@customer_organization | Full Control | Group object |
| Permission | Allow | |
| All items | ADS_RIGHT_DS_GENERIC_ALL |
Organizational unit ACEs for the admins@customer_organization group
The ACE described in the following table allows by organization administrators, members of the admins@customer_organization group, to create and delete child organizational units within their customer organizational unit.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| admins@customer_organization | Create/delete group organizational unit objects | This object and all child objects |
| Permission | Allow | |
| Create organizational unit | ADS_RIGHT_DS_CREATE_CHILD | |
| Delete group object | ADS_RIGHT_DS_DELETE_CHILD |
The ACE described in the following table allows members of the admins@customer_organization group full control over other organizational units within their customer organizational unit.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| admins@customer_organization | Full Control | Group object |
| Permission | Allow | |
| All items | ADS_RIGHT_DS_GENERIC_ALL |
User ACEs for the csradmins@customer_organization group
The following two tables contain ACEs that govern access to user objects and any of their child objects by organization customer service representatives (CSRs). These ACEs specify permissions that members of the csradmins@customer_organization group have for user objects.
The following table describes the privileges that allow organization CSRs to create and delete users objects within the customer organizational unit.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| csradmins@customer_organization | Create/delete user objects | This object and all child objects |
| Permission | Allow | |
| Create user objects | ADS_RIGHT_DS_CREATE_CHILD | |
| Delete user objects | ADS_RIGHT_DS_DELETE_CHILD |
The following table describes an ACE that governs access to user objects by organization CSRs. This ACE gives members of the csradmins@customer_organization group full control over user objects.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| csradmins@customer_organization | Full control | User object |
| Permission | Allow | |
| All items | ADS_RIGHT_GENERIC_ALL |
Group ACEs for the csradmins@customer_organization group
The following two tables describe the ACEs that give members of the csradmins@customer_organization group permissions on group objects within their organizational unit.
This ACE enables organization CSRs to create and delete groups within their organizational unit.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| csradmins@customer_organization | Create/delete group objects | This object and all child objects |
| Permission | Allow | |
| Create group object | ADS_RIGHT_DS_CREATE_CHILD | |
| Delete group object | ADS_RIGHT_DS_DELETE_CHILD |
The following table gives organization CSRs full control over group objects within their organizational units.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| csradmins@customer_organization | Full Control | Group object |
| Permission | Allow | |
| All items | ADS_RIGHT_DS_GENERIC_ALL |
Organizational unit ACEs for the csradmins@customer_organization group
The following two tables represent the ACEs that govern access for members of the csradmins@customer_organization to organizational unit objects within the customer organization.
This ACE enables organization CSRs to create and delete child organizational units within their customer organizational unit.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| csradmins@customer_organization | Create/delete group organizational unit objects | This object and all child objects |
| Permission | Allow | |
| Create organizational unit object | ADS_RIGHT_DS_CREATE_CHILD | |
| Delete organizational unit object | ADS_RIGHT_DS_DELETE_CHILD |
The following table describes an ACE that gives organization CSRs full control over organizational units within their customer organizational unit.
| Allowed or Denied To | Permission | Apply To |
|---|---|---|
| csradmins@customer_organization | Full Control | Group object |
| Permission | Allow | |
| All items | ADS_RIGHT_DS_GENERIC_ALL |
ACE for child organizational units
The following ACE is set on each child organization:
Remove Authenticated Users
This ACE prevents all users from reading the contents of the child organization, unless they are explicitly granted this right.
ACE for the _private container
The _private container contains special containers and groups required to implement Delegated Administration Console functionality. It contains the following ACE:
Remove Authenticated Users
This ACE prevents all users from accessing the _private container except those explicitly authorized to do so.