Managing roles and permissions

Microsoft Forefront Threat Management Gateway implements access control to all components of the configuration and monitoring information through the Windows Server 2008 security descriptors of the applicable objects. The discretionary access control list (DACL) in the security descriptor of each object defines the types of access, or permissions, that can be granted to users and groups and specifies the users and groups that have been granted each of the permissions defined.

To simplify the administration of granting permissions to users, Forefront TMG provides administrative roles. A role defines a collection of rights, which authorize users and groups to perform specific actions. When a role is assigned to a user or group, Forefront TMG configures the DACLs in the security descriptors of the corresponding objects to grant the permissions needed to perform the actions allowed by the role to the user or group. Forefront TMG also reconfigures the DACLs in the applicable security descriptors whenever you modify the assignments of the administrative roles or the Microsoft Forefront TMG Control service (isactrl) is restarted.

For example, when you assign a role that include rights to view or modify the local configuration to a user or group, Forefront TMG configures the applicable permissions for accessing the configuration settings stored in the local instance of Active Directory Application Mode (ADAM).

For more information about the Forefront TMG administrative roles, see Planning permissions and roles.