Implemented Active Directory groups

Microsoft Provisioning System creates a defined set of groups in Active Directory that govern permissions in a hosted environment. Membership in these groups gives users in hosting, reseller, and customer organizations the permissions they need to access specific organization information.

In order to access their own organizational unit, user accounts need access to their parent organization, which is the hosting organization for resellers, and the reseller organization for customers. The access granted must be limited, however, so that users can access their own organizational units, but cannot view other organizations with which they are not associated.

Active Directory uses access control entries (ACEs) in the discretionary access control list (DACL) to grant groups appropriate permissions to their own and parent organizations. In order to limit the number of ACEs in the DACL, a nested group structure (groups within a group) is used.

Many of these groups are associated with the roles used in Microsoft Provisioning System. The following table defines the set of groups used in the Active Directory design:

Role Group name Parent container
Service provider administrator Admins@hosting hosting
Service provider customer service representative (CSR) CSRADmins@hosting hosting
n/a AllUsers@hosting hosting/_private
n/a AllUsersGroup hosting/_private
No associated role AllResellerAdminsGroups hosting/_private
No associated role AllResellerCSRAdminsGroups hosting/_private
Reseller administrator Admins@reseller_organization hosting/<reseller organization>
Reseller customer service representative CSRAdmins@reseller_organization hosting/<reseller organization>
No associated role AllCustomers@reseller_organization hosting/<reseller organization>/_private
No associated role AllUsers@reseller_organization hosting/<reseller organization>/_private
Organization administrator Admins@customer_organization hosting/<reseller organization>/<customer organization>
Organization customer service representative (organization CSR) CSRAdmins@customer_organization hosting/<reseller organization>/<customer organization>
No associated role AllUsers@customer_organization hosting/<reseller organization>/<customer organization>/_private

Nested group membership

The following table describes the nesting structure of the groups used by Microsoft Provisioning System:

Group Members
AllUsersGroup AllUsers@hosting
AllResellerAdminsGroup Admins@reseller_organization
AllResellerCSRAdminsGroups CSRADmins@reseller_organization
AllCustomers@reseller organization AllCustomers@customer_organization