Access control entries for the hosting organization

The access control entries (ACEs) for the hosting organizational unit control the type of access to this organizational unit that each group is granted. This topic explains the ACEs on the following objects in the hosting organization:

The following ACE is set on the hosting organization:

Remove Authenticated Users

This ACE prevents all users from reading the contents of the hosting organizational unit unless they are explicitly granted this right.

The ACE described in the following table grants List Contents permissions for the hosting organization to the allusersgroup@hosting. Members of the allusersgroup@hosting include:

The allusers@reseller organization groups, containing all user accounts in each reseller organization
The allusers@hosting group, containing all user accounts in the hosting organization

Allowed or Denied To	Permission	Apply To
allusersgroup	Special	This object only
Permission	Allow
List Object	ADS_RIGHT_DS_LIST_OBJECT

Membership in the allusers@hosting group includes only user accounts within the hosting organization; this membership does not include reseller or customer user accounts. The ACEs on this group allow user accounts in the hosting organization to list and read properties within the hosting organizational unit.

Allowed or Denied To	Permission	Apply To
allusers@hosting	Special	This object and all child objects
Permission	Allow
List contents	ADS_RIGHT_DS_ACTRL_DS_LIST
Read all properties	ADS_RIGHT_DS_READ_PROP
Read permissions	ADS_RIGHT_READ_CONTROL

The following table represents an ACE that grants service provider administrator-level privileges to members of the admins@hosting group. These privileges reduce the likelihood of having to grant domain administrator privileges to users who need to perform Active Directory functions for hosted customers.

Allowed or Denied To	Permission	Apply To
admins@hosting	Special	This object and all child objects
Permission	Allow
Write all properties	ADS_RIGHT_DS_WRITE_PROPERTIES
Modify permissions	ADS_RIGHT_WRITE_DAC
All validated writes	ADS_RIGHT_DS_SELF
All extended writes	ADS_RIGHT_DS_CONTROL_ACCESS
Create all child objects	ADS_RIGHT_DS_CREATE_CHILD
Delete all child objects	ADS_RIGHT_DS_DELETE_ACCESS

The following table describes the ACE that grants members of the csradmins@hosting group service provider customer service representative-level privileges.

Allowed or Denied To	Permission	Apply To
csradmins@hosting	Special	This object and all child objects
Permission	Allow
Write All Properties	ADS_RIGHT_DS_WRITE_PROPERTIES
Modify properties	ADS_RIGHT_WRITE_DAC
All validated writes	ADS_RIGHT_DS_SELF
All extended writes	ADS_RIGHT_DS_CONTROL_ACCESS

The _private container is a container for special containers and groups required to implement Delegated Administration Console functionality. It contains the following ACE:

Remove Authenticated Users

This ACE prevents all users from accessing the _private container except those explicitly authorized to do so.