Configuring array-level administrative roles

  • Article

To simplify the administration of granting permissions to users, Microsoft Forefront Threat Management Gateway provides administrative roles. A role defines a collection of rights, which authorize users and groups to perform specific actions. When you assign a role to a user or group, Forefront TMG configures the corresponding objects to grant the permissions needed to perform the actions allowed by the role to the user or group. For more information about the Forefront TMG administrative roles, see Planning permissions and roles.

After the array has been created, you may assign array administrator privileges to the array. Do the following:

  1. In Forefront TMG, right-click the name of the array and select Properties.
  2. On the Assign Roles tab, click Add. Add the required user. From the drop-down Role menu, select ISA Server Array Administrator, and then click OK.
  3. Click OK to close the properties page.
  4. In the Firewall Policy details pane, click Apply to apply the changes.

To assign administrative roles for array administrators

  1. In the Forefront TMG Management console tree, click the Forefront TMG node.

  2. On the Tasks tab, click Assign Administrative Roles.

  3. If the computer running the Forefront TMG services is in a domain, on the Assign Roles tab, click the upper Add button. Then, do the following:

    1. In Group or User, type the name of the group or user that will be allowed to access information stored in the local instance of Active Directory Application Mode (ADAM).
    2. In Role, select one of the following:
      Forefront TMG Array Administrator. Authorizes the specified group or user to perform all administrative tasks in the array.
      Forefront TMG Array Auditor. Authorizes the specified group or user to perform monitoring tasks and to view the array configuration.
      Forefront TMG Array Monitoring Auditor. Authorizes the specified group or user to perform some monitoring tasks.

  4. If the computer running the Forefront TMG services is in a workgroup, on the Assign Roles tab, click the lower Add button. Then, do the following:

    1. In Group or User, type the name of the group or user that will be allowed to access information stored in the local instance of ADAM.
    2. In Role, select one of the following:
      Forefront TMG Array Administrator. Authorizes the specified group or user to perform all administrative tasks in the array.
      Forefront TMG Array Auditor. Authorizes the specified group or user to perform monitoring tasks and to view the array configuration.
      Forefront TMG Array Monitoring Auditor. Authorizes the specified group or user to perform some monitoring tasks.

  5. Click OK to close the dialog box.

  6. In the details pane, click the Apply button to save and update the configuration, and then click OK.

    Note

    Do not assign administrative roles to CREATOR OWNER, CREATOR GROUP, or their security identifiers (SIDs). This is because these SIDs do not exist in ADAM, in which the Forefront TMG is stored.