The plan you create for your deployment of Microsoft Provisioning System will be determined by the components you install. In general, security planning for the individual components involves the following:
Your security planning is somewhat simplified if you are using Delegated Administration Console. This is because the processes of installing and configuring Delegated Administration Console address the multiple levels of security implemented by all of Microsoft Provisioning System, including Microsoft Provisioning Framework (MPF) and the non-provider namespaces available in Microsoft Provisioning System. If you implement Delegated Administration Console by following the installation and configuration steps outlined in the Microsoft Provisioning System documentation, little if any alteration of the security features should be necessary.
If you do modify the default security settings, the most significant part of the planning process for implementing provisioning with Delegated Administration Console is determining which role priority numbers (RPNs) to assign to each group and how to tailor discretionary access control lists (DACLs) and access control entries (ACEs) for your individual resellers and customers.
For more information on how RPNs, DACLs, and ACEs are used to implement security, see Security in Delegated Administration Console and Active Directory and Delegated Administration Console. For information on managing security for Delegated Administration Console, see Optimizing security with the non-provider namespaces and Delegated Administration Console.
If you are not using Delegated Administration Console, but are implementing the non-provider namespaces available in Microsoft Provisioning System, security planning is still considerably simplified. These non-provider namespaces implement much of configuration required to secure your deployment. The security considerations for implementing provisioning with these non-provider namespaces are similar to those that apply to implementing provisioning with Delegated Administration Console. That is, the primary security planning decisions involve determining how to assign role priority numbers (RPNs) and tailor DACLs and ACEs for resellers and customers.
For information on managing security for the non-provider namespaces available in Microsoft Provisioning System, see Optimizing security with the non-provider namespaces and Delegated Administration Console.
If you are implementing MPF, but not using Delegated Administration Console or the non-provider namespaces available in Microsoft Provisioning System, your security planning must address the configuration of multiple aspects of security. This includes setting up impersonation and delegation, ensuring the privacy of each account, securing data services, and implementing secure authorization. MPF provides extensive support for meeting security requirements in each of these areas. However, it requires the individual configuration of the provisioning servers, namespaces, and credentials that are to be to be implemented.
For more information on how security is implemented in MPF, see Security in Microsoft Provisioning Framework. For more information on managing security for MPF, see Building on the security capabilities of Microsoft Provisioning Framework.
Regardless of which components of Microsoft Provisioning System you install, creating the security plan is the first step in planning a secure deployment. Beyond this, security also requires the successful testing and monitoring of the deployment.
For more information on creating a security plan, see Creating plans. For more information on security testing considerations in Microsoft Provisioning System, see Testing security. For more information on monitoring security, see Monitoring security.