Security and Collective Attributes Subentries are Used to Define the Administration of the Administrative Area.. # Overview of Administrative Areas Administrative Point Administrative S
Trang 1Contents
Overview 1
Introduction to Administering Metadirectory
Data 2
Overview of Administrative Areas 3
Access Control Settings for Administrative
Trang 2to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
2000 Microsoft Corporation All rights reserved
Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product
names or titles Replace this example list with list of trademarks provided by copy editor Microsoft is listed first, followed by all other Microsoft trademarks in alphabetical order > are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries
<This is where mention of specific, contractually obligated to, third party trademarks, which are added by the Copy Editor>
The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted
Other product and company names mentioned herein may be the trademarks of their respective owners
Trang 3Overview
! Introduction to Administering Metadirectory Data
! Overview of Administrative Areas
! Access Control Settings for Administrative Areas
! Overriding the Administrative Area Security Policy
! Collective Attributes
! Best Practices
Administration of the metaverse namespace is typically performed through the authoritative connected directories There are two administrative tasks that you perform in the metadirectory itself: securing the metadirectory, and assigning collective attributes to the data Both of these are accomplished by working with administrative areas Administrative areas define a section of the metaverse namespace to which you can assign permissions and apply collective attributes This allows you to manage MMS in larger, more efficient, blocks of data
At the end of this module, you will be able to:
! Identify the tasks required to administer metadirectory data
! Describe administrative areas, administrative points, and subentries
! Set access control settings for administrative areas
! Override access control settings for objects and attributes
! Describe and define collective attributes for administrative areas
! Identify best practices for administering the metadirectory
permissions to secure the
data and using collective
attributes to define attributes
for multiple object entries
Trang 4Introduction to Administering Metadirectory Data
! Administering Metadirectory Data Includes Assigning Permissions and Collective Attributes
! Administrative Areas Define the Scope of Administration in the Metaverse Namespace
! Security and Collective Attributes Subentries are Used
to Define the Administration of the Administrative Area
! Security Can Be Applied on the Administrative Area, or
on Individual Directory Entries
! Collective Attributes Can Only Be Applied on the Administrative Area
You can collectively administer metaverse data by using administrative areas
An administrative area defines a section of the directory tree up that can be administered in a similar way Administrative areas control both the permissions applied to an object and the shared attributes that are common to all objects in the administrative area
After you define an administrative area, you can set access control settings for the specific area that defines what permissions users have to the data These settings then become the security policy for the administrative area You can also set permissions on specific directory entries that are different from the default security policy
Administrative areas also define the collective attributes that are shared by all objects in the area Use collective attributes for attribute values that are the same for all objects in the area Collective attributes are also used to manage administrative attributes, such as the attributes displayed on the entry’s properties sheet Collective attributes simplify MMS administration by offering
a single point of entry for common organizational data, such as a mailing address or fax number Since collective attributes are read-only at the entry level, they are also used to enforce consistency for data that cannot change across the area
You will use administrative
areas to assign access
permissions to a specific
section in the metadirectory
Trang 5# Overview of Administrative Areas
Administrative Point
Administrative Subentries Administrative Area Scope
An administrative area is a contiguous portion of the directory tree where a specific type of administrative authority is in control This administrative authority can either be the permission to modify the access control settings for the administrative area, or the permission to define collective attributes for the directory entries within that area The administrative area defines the scope of the authority exercised
There are three key elements to understanding administrative areas:
! Administrative points An administrative area begins immediately below an
object that is defined as an administrative point The administrative point represents the scope of the authority, extending down the directory tree until another administrative point exists, or until MMS reaches the end of the
subtree
! Administrative subentries An administrative subentry identifies what kind
of administration is exercised at the administrative point The subentry can determine either security or collective data for the administrative area For the administrative area to be effective, you must create an administrative
subentry immediately below it
! Administrative area scope The scope of an administrative area is
determined by the hierarchical position of the administrative point to which
it is associated An administrative area controls every object in the tree below the administrative point, until another administrative point, or the end
of the tree, is reached
Slide Objective
Lead-in
Delivery Tip
Be sure to explain what an
administrative area is on this
page
Trang 6What Are Administrative Points?
! Administrative Points Define the Starting Point of the Administrative Area
! There are Three Default Administrative Points:
$ The Known Universe
$ Top of the Naming Context
$ Top of the Connector Namespace
! Any Container Object in the Directory Tree Can be Configured as an Administrative Point
! Use the Entry Administration Dialog Box to Configure a Container Object as an Administrative Point
Administrative points are directory entries that represent the point in the metaverse namespace where an administrative area begins These directory entries enable you to define access control settings and collective attributes for specific sections of the directory tree You can create an administrative point by changing the Directory Specific Entry (dseType) attribute of an existing container object By creating administrative points throughout the directory tree you can map the administrative areas to your organizational structure
When the default metadirectory database is initialized, three administrative points are created These are the default administrative areas for the metaverse namespace:
! The root (also called The Known Universe)
! The beginning of the naming context (for example, dc=Contoso)
! The beginning of the connector namespace (for example, MetaServer) For each of these default administrative points, there are administrative subentries that enable you to define permissions and collective attributes for the administrative area
You can create additional administrative points in the directory tree to apply administrative authority specifically to that administrative area For example, you can create an administrative point at the organization level, whereby all of the directory entries under that point are to be administered differently than entries outside of the administrative area
To create an additional administrative point in the metadirectory, either create a new directory entry in the tree, or select an existing entry that represents the
starting point for the new administrative area Use the Entry Administration
dialog box to set the dseType to Admin Point
Slide Objective
Lead-in
Delivery Tip
To illustrate administrative
points, open the
Administration dialog box
and point out the Admin
Point check box
Trang 7What Are Administrative Subentries?
! Administrative Subentries are Created to Contain the Settings for the Administrative Authority
! There are Two Types of Administrative Subentry:
$ Access Control Subentries
$ Collective Attributes Subentries
! Each Administrative Point can have One or More Administrative Subentry
Administrative subentries are MMS directory entries that define administrative information for the entire administrative area with which they are associated Administrative areas are used to define either the security policy or the collective attributes for the administrative area Administrative subentries are located in the directory tree directly beneath the administrative point for which they are controlling You can create multiple administrative subentries for an administration point
MMS creates several default administrative subentries when the directory is initialized These areas form the default administrative boundaries for the metaverse namespace The following table identifies the default administrative subentries
Administrative Area Administrative Subentry
Root (The Known Universe) Root Collectives
Root Security Naming Context (Context Prefix) Context Security
Context Shared Data Connector Namespace (Application
Name)
Connector Space Collectives Connector Space Security You can create one or more administrative subentries for each administrative point in the metadirectory tree Each administrative subentry is either an access control subentry or a collective attribute subentry It is not necessary to use both types of subentries for every administrative point in the directory
Slide Objective
Lead-in
Key Points
Administrative subentries
are located in the directory
tree directly beneath the
administrative point for
which they are controlling
Trang 8To create an administrative subentry, perform the following steps:
1 Select the administrative point for which you are administering authority and insert a new object
To insert a new directory entry object, first select the container object under which the object will be located Right-click the container object and click
Insert
2 On the Administrative tab, choose either Access Control Subentry or
Collective Attribute Subentry
3 Give the subentry a name that clearly denotes the role of the object
For example, if you are creating an access control subentry for an organizational unit named Sales, name the administrative subentry Sales Security The subentry can now be easily identified when viewing the directory tree
4 Configure the access control settings for the administrative area
Trang 9Administrative Area Scope
Administrative Area Scope
vancouverdom Applications Metaverse Claims Executives
Investigations Marketing Money Dept Sales Context Security Context Shared Data
Allianora Chhetri Allie Rzepczynski Alli Snelgrove
Alysa Eaton Executives Collectives Executives Security
Executives Admin Area
Executives Admin Area
Context Admin Area
Context Admin Area
Administrative Subentries
Administrative Subentries
Admin Point
The starting point of an administrative area is defined by the position of the administrative point in the directory tree Administrative points can be some point in the tree that marks the start of some organizational structure, such as the container object for an organizational unit You can also create additional administrative points throughout the tree by creating additional directory objects
The access control permissions you define in a subentry apply to all entries below its administration point until the next administration point is reached, or until you reach the bottom of the directory tree Previous settings that were inherited from a higher subentry are replaced by the permissions you define in the subentry
Slide Objective
Lead-in
Trang 10# Access Control Settings for Administrative Areas
! Defining User Classes For Assigning Permissions
! Using MMS Built-in Security Roles
! Setting Read and Modify Permissions
! Differentiating Between Granting and Denying Access
Access control settings in MMS can be applied to a directory entry object, or to
an administrative area Regardless of where you apply access control settings, the types of permission you can assign are the same The two categories of access control permissions are read and modify
MMS defines three user classes for the purpose of assigning permissions These user classes enable you to efficiently configure access control settings by assigning permissions to the user class, rather than adding individual users to the access control list
There are also three built-in security roles in MMS that have default permissions to the metadirectory There are three directory entries created for these roles by default, and you can also add specific individuals to these roles These individuals then possess the same access control permissions as the default security roles
Access control settings can either be inclusive or exclusive When setting the access control permissions for an object, you can choose to either grant or deny permissions to users, or classes of users
Slide Objective
Lead-in
Trang 11Defining User Classes for Assigning Permissions
Access Control Subentry
Self = Read + Modify
Superior = Read
Specific (* =
*,ou=Entertainment,dc=contoso,dc=com) = Read
There are three classes of users for whom you can specify access control You can use these classes, as well as specific users, when assigning permissions to metaverse data The following user classes are available when assigning permission in MMS:
! Anyone This class includes anyone who can access the directory, including
anonymous logons and Web browser users
! Self This class includes only the person (or other entity) represented by this
directory entry object
! Superior This class includes any directory object entry that is higher in the
directory tree than this particular entry, but within its security administrative area
When assigning permissions, you can also select the Specific option, and then add individual users, or lists, to the permissions list Specific does not specify a class of user, but rather indicates an individual directory entry object This object can represent a user, or a group of users, such as a list or organizational unit
For individual or group entries, click the Select button then drag and drop their icons onto the Permissions granted to list from the directory tree You can
include all child objects of a container object, such as an organizational unit, by using the asterisk (*) wildcard character For example, to include all entries
under the Sale organizational unit, type *=*,ou=Sales,dc=contoso,dc=com in the Specific text field
Because you can specify different permissions for specific individuals or
classes of users, the most specific entry, or the best match, on the Permissions
granted to list, is what is applied
Slide Objective
Lead-in
Key Points
Because you can specify
different permissions for
specific individuals or
classes of users, the most
specific entry, or the best
match, on the Permissions
granted to list, is what is
applied
Trang 12Using Built-in MMS Security Roles
Security Officer
Has access to the Access Control action and security subentries at the Root, Context, and Connector Namespace Administrative points
Read and modify permission throughout most of the directory for security administration
Has access to the Access Control action and security subentries at the Root, Context, and Connector Namespace Administrative points
Read and modify permission throughout most of the directory for security administration
There are three role-related directory entries, all of which are located immediately under the server entry in the directory tree Each of these entries has access to a different portion of the directory that corresponds to the responsibilities of the role
Each of these role-related directory entries also has unique permissions to the directory:
! Administrator This directory entry object has permission to read or modify
any object in the directory, except those objects to which it is specifically denied access When you install MMS, Administrator is the only directory entry that has a password, and it is the identity by which you must first log
on
! Operator This directory entry object is granted access to parts of the
directory that are related to its ongoing operation The Operator can see and execute the management agent Configure and Operate actions, but not the Design action You must assign a password to this entry to log on as Operator
! Security Officer This directory entry object can see and modify those parts
of the directory that are related to administering access control settings These directory parts include the Access Control action and the security subentries at the Root, Context, and Connector Namespace administrative points The Security Officer role also has read and modify permission throughout most of the directory for general security administration Like the Operator, this entry cannot be used until one is assigned
Slide Objective
Lead-in