Access control entries for the hosting organization
The access control entries (ACEs) for the hosting
organizational unit control the type of access to this
organizational unit that each group is granted. This topic explains
the ACEs on the following objects in the hosting organization:
The ACE described in the following table grants List Contents
permissions for the hosting organization to the
allusersgroup@hosting. Members of the allusersgroup@hosting
include:
The allusers@reseller organization groups, containing
all user accounts in each reseller organization
The allusers@hosting group, containing all user accounts in the
hosting organization
Membership in the allusers@hosting group includes only user
accounts within the hosting organization; this membership does not
include reseller or customer user accounts. The ACEs on this group
allow user accounts in the hosting organization to list and read
properties within the hosting organizational unit.
The following table represents an ACE that grants service provider administrator-level privileges to
members of the admins@hosting group. These privileges reduce the
likelihood of having to grant domain administrator privileges to
users who need to perform Active Directory functions for hosted
customers.
The _private container is a container for special containers and
groups required to implement Delegated Administration Console
functionality. It contains the following ACE:
Remove Authenticated Users
This ACE prevents all users from accessing the _private
container except those explicitly authorized to do so.