Delegated Administration Console and the non-provider namespaces available with Microsoft Provisioning System build upon Active Directory security features to ensure that users and groups cannot access or view files and objects of other users and groups.
The following features implement this security:
Users of Delegated Administration Console can access and use its features according to the role assigned to the user account with which they log on. A role is an Active Directory security group that is associated with a specific set of permissions. Microsoft Provisioning System specifies these permissions by setting Active Directory ACEs on individual objects in the directory. Active Directory ACEs determine the features that a user account can access and use.
For more information on group membership and the ACEs Microsoft Provisioning System implements in Active Directory to control group permissions on organizations and other objects in a hosted environment, see Implemented Active Directory groups, Implemented access control entries.
In addition to its Active Directory permissions, each role is also associated with a specific number. This is called a role priority number (RPN). RPNs control which features user accounts can view within Delegated Administration Console. RPNs ensure that user accounts are can view only those features that they have permissions to use.
When you add a user account to a group, the user account is assigned an RPN based on membership in this group. Each user interface control in Delegated Administration Console is configured with information about the RPNs that are allowed to view the control. Only user accounts that have the appropriate RPN can view the control. Otherwise, the control is hidden from view.
For more information on role priority numbers and how they are implemented, see Understanding roles and privileges.