Access control entries for reseller organizations

The access control entries (ACEs) on each reseller organization control the type of access to this organization that each group is granted. ACEs on reseller groups allow them to access their parent object, that is, the hosting organization, but access is restricted to their particular reseller organization. The permissions specified by the ACE restrict user accounts in each reseller group from seeing organizational units outside of their own.

This topic explains the ACEs on the following objects in each reseller organization:

The following ACE is set on each reseller organizational unit:

Remove Authenticated Users

This ACE prevents all users from reading the contents of the hosting organizational unit unless they are explicitly granted this right. This prevents a reseller's customers from viewing organizational units other than their own.

The ACEs on the allusers@reseller group grant List Object permissions for the reseller organizational unit.

The following table describes an ACE on the allusers@reseller group that restricts members of the allusers@reseller group from listing the contents of the reseller organization. This prevents user accounts within a particular customer organization from viewing other customer organizational units within the reseller organization.

Allowed or Denied To	Permission	Apply To
allusers@reseller group	Special	This object only
Permission	Allow
List Object	ADS_RIGHT_DS_LIST_OBJECT

The following table explains ACEs for the allusers@reseller group that are applied to this group and any of its child objects. These permissions grant List Object and Read permissions to end users.

Allowed or Denied To	Permission	Apply To
allusers@reseller	Special	This object and all child objects
Permission	Allow
List contents	ADS_RIGHT_DS_ACTRL_DS_LIST
Read all properties	ADS_RIGHT_DS_READ_PROP
Read permissions	ADS_RIGHT_READ_CONTROL

The following table represents an ACE that sets List Object permissions on the reseller organization. This ACE denies List Object permissions to the allcustomers@reseller group for the reseller organizational unit. This restriction prevents users within a particular customer organization from accessing customer organizational units other than their own.

Allowed or Denied To	Permission	Apply To
allcustomers@reseller group	Special	This object only
Permission	Allow
List Object	ADS_RIGHT_DS_LIST_OBJECT

The following table describes an ACE that grants privileges on the level of a reseller administrator to members of the admins@reseller group. These privileges allow reseller administrators to write properties, modify permissions, and create and delete objects within the reseller organizational unit.

Allowed or Denied To	Permission	Apply To
admins@reseller	Special	This object and all child objects
Permission	Allow
Write all properties	ADS_RIGHT_DS_WRITE_PROPERTIES
Modify permissions	ADS_RIGHT_WRITE_DAC
All validated writes	ADS_RIGHT_DS_SELF
All extended writes	ADS_RIGHT_DS_CONTROL_ACCESS
Create all child objects	ADS_RIGHT_DS_CREATE_CHILD
Delete all child objects	ADS_RIGHT_DS_DELETE_ACCESS

The following table describes the ACE that grants members of the csradmins@reseller group privileges on the level of a customer service representative within the reseller organization.

Allowed or Denied To	Permission	Apply To
csradmins@reseller	Special	This object and all child objects
Permission	Allow
Write All Properties	ADS_RIGHT_DS_WRITE_PROPERTIES
Modify permissions	ADS_RIGHT_WRITE_DAC
All validated writes	ADS_RIGHT_DS_SELF
All extended writes	ADS_RIGHT_DS_CONTROL_ACCESS
Create all child objects	ADS_RIGHT_DS_CREATE_CHILD

The _private container is a container for special containers and groups required to implement Delegated Administration Console functionality. It contains the following ACE:

Remove Authenticated Users

This ACE prevents all users from accessing the _private container except those explicitly authorized to do so.