Microsoft Provisioning System creates a defined set of groups in Active Directory that govern permissions in a hosted environment. Membership in these groups gives users in hosting, reseller, and customer organizations the permissions they need to access specific organization information.
In order to access their own organizational unit, user accounts need access to their parent organization, which is the hosting organization for resellers, and the reseller organization for customers. The access granted must be limited, however, so that users can access their own organizational units, but cannot view other organizations with which they are not associated.
Active Directory uses access control entries (ACEs) in the discretionary access control list (DACL) to grant groups appropriate permissions to their own and parent organizations. In order to limit the number of ACEs in the DACL, a nested group structure (groups within a group) is used.
Many of these groups are associated with the roles used in Microsoft Provisioning System. The following table defines the set of groups used in the Active Directory design:
Role | Group name | Parent container |
---|---|---|
Service provider administrator | Admins@hosting | hosting |
Service provider customer service representative (CSR) | CSRADmins@hosting | hosting |
n/a | AllUsers@hosting | hosting/_private |
n/a | AllUsersGroup | hosting/_private |
No associated role | AllResellerAdminsGroups | hosting/_private |
No associated role | AllResellerCSRAdminsGroups | hosting/_private |
Reseller administrator | Admins@reseller_organization | hosting/<reseller organization> |
Reseller customer service representative | CSRAdmins@reseller_organization | hosting/<reseller organization> |
No associated role | AllCustomers@reseller_organization | hosting/<reseller organization>/_private |
No associated role | AllUsers@reseller_organization | hosting/<reseller organization>/_private |
Organization administrator | Admins@customer_organization | hosting/<reseller organization>/<customer organization> |
Organization customer service representative (organization CSR) | CSRAdmins@customer_organization | hosting/<reseller organization>/<customer organization> |
No associated role | AllUsers@customer_organization | hosting/<reseller organization>/<customer organization>/_private |
The following table describes the nesting structure of the groups used by Microsoft Provisioning System:
Group | Members |
---|---|
AllUsersGroup | AllUsers@hosting AllUsers@reseller_organization |
AllResellerAdminsGroup | Admins@reseller_organization |
AllResellerCSRAdminsGroups | CSRADmins@reseller_organization |
AllCustomers@reseller organization | AllCustomers@customer_organization |