Configuring roles and permissions

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

To simplify the administration of granting permissions to users, Forefront TMG provides administrative roles for enterprise and array administrators. A role defines a collection of rights, which authorize users and groups to perform specific actions. When you assign a role to a user or group, Forefront TMG configures the corresponding objects to grant the permissions needed to perform the actions allowed by the role, to the user or group. For more information about Forefront TMG administrative roles, see About Forefront TMG roles and permissions.

The following procedures describe how to assign administrative roles for enterprise administrators and array administrators.

To assign administrative roles for enterprise administrators

  1. In the Forefront TMG Management console, in the tree, click the Enterprise node.

  2. On the Tasks tab, click Assign Administrative Roles.

  3. On the Assign Roles tab, click the upper Add button. Then, do the following:

    1. In Group or User, enter the name of the group or user that will be allowed to access information stored in the local instance of Active Directory Lightweight Directory Services (AD LDS), and monitor arrays in the domain.

    2. In Role, select one of the following:

    • Forefront TMG Enterprise Administrator—Authorizes the specified group or user to perform all administrative tasks in the enterprise and arrays in the domain.

    • Forefront TMG Enterprise Auditor—Authorizes the specified group or user to perform monitoring tasks, and to view enterprise and array configuration.

  4. When you have finished, click OK.

  5. In the details pane, click the Apply button, and then click OK.

To assign administrative roles for array administrators

  1. In the Forefront TMG Management console, in the tree, click the Forefront TMG node.

  2. On the Tasks tab, click Assign Administrative Roles.

  3. On the Assign Roles tab, click the upper Add button. Then, do the following:

    1. In Group or User, enter the name of the group or user that will be allowed to access information stored in the local instance of AD LDS.

    2. In Role, select one of the following:

    • Forefront TMG Array Administrator—Authorizes the specified group or user to perform all administrative tasks in the array.

    • Forefront TMG Array Auditor—Authorizes the specified group or user to perform all monitoring tasks, and to view the array configuration.

    • Forefront TMG Array Monitoring Auditor—Authorizes the specified group or user to perform specific monitoring tasks.

  4. When you are finished, click OK.

  5. In the details pane, click the Apply button, and then click OK.