Implement ACEs for the Reseller Organization
The access control entries (ACEs) on each reseller organization control the type of access that each group is granted to the reseller organization. ACEs on reseller groups allow resellers to access their parent object (that is, the hosting organization) but access is restricted to their particular reseller organization. The permissions specified by the ACE restrict user accounts in each reseller group from viewing organizational units (OUs) other than those for their organization. The Remove Authenticated Users ACE is set on each reseller OU to prevent all users from reading the contents of the reseller OU, unless they are explicitly granted this right. This prevents a reseller's customers from viewing OUs other than their own.
ACEs for the AllUsers@reseller Group
The ACEs on the AllUsers@reseller group grant List Object permissions for the reseller OU.
The following table describes an ACE on the AllUsers@reseller group that restricts members of the AllUsers@reseller group from listing the contents of the reseller organization. This prevents user accounts within a particular customer organization from viewing other customer OUs within the reseller organization.
Table: List Object ACEs for the AllUsers@reseller Group
| Allowed or denied to | Permission | Apply to |
|---|---|---|
AllUsers@reseller |
Special |
This object only |
Permission |
Allow |
- |
List Object |
ADS_RIGHT_DS_LIST_OBJECT |
- |
The following table describes ACEs for the AllUsers@reseller group that are applied to this group and any of its child objects. Users are granted List Object and Read permissions.
Table: ACEs for the AllUsers@reseller Group
| Allowed or denied to | Permission | Apply to |
|---|---|---|
AllUsers@reseller |
Special |
This object and all child objects |
Permission |
Allow |
- |
List Contents |
ADS_RIGHT_DS_ACTRL_DS_LIST |
- |
Read All Properties |
ADS_RIGHT_DS_READ_PROP |
- |
Read permissions |
ADS_RIGHT_READ_CONTROL |
- |
ACEs for the AllCustomers@reseller Group
The following table represents an ACE that sets List Object permissions on the reseller organization. This ACE denies List Object permissions to the AllCustomers@reseller group for the reseller OU. This restriction prevents users within a particular customer organization from accessing customer OUs other than their own.
Table: ACEs for the AllCustomers@reseller Group
| Allowed or denied to | Permission | Apply to |
|---|---|---|
AllCustomers@reseller |
Special |
This object only |
Permission |
Allow |
- |
List Object |
ADS_RIGHT_DS_LIST_OBJECT |
- |
ACEs for the Admins@reseller Group
The following table describes an ACE that grants permissions on the level of a reseller administrator to members of the Admins@reseller group. These permissions allow reseller administrators to write properties, modify permissions, and create and delete objects within the reseller OU.
Table: ACEs for the Admins@reseller Group
| Allowed or denied to | Permission | Apply to |
|---|---|---|
Admins@reseller |
Special |
This object and all child objects |
Permission |
Allow |
- |
Write all properties |
ADS_RIGHT_DS_WRITE_PROPERTIES |
- |
Modify permissions |
ADS_RIGHT_WRITE_DAC |
- |
All validated writes |
ADS_RIGHT_DS_SELF |
- |
All extended writes |
ADS_RIGHT_DS_CONTROL_ACCESS |
- |
Create all child objects |
ADS_RIGHT_DS_CREATE_CHILD |
- |
Delete all child objects |
ADS_RIGHT_DS_DELETE_ACCESS |
- |
ACEs for the CSRAdmins@reseller Reseller Group
The following table describes the ACE that grants members of the CSRAdmins@reseller group permissions on the level of a customer service representative within the reseller organization.
Table: ACEs for the CSRAdmins@reseller Group
| Allowed or denied to | Permission | Apply to |
|---|---|---|
CSRAdmins@reseller |
Special |
This object and all child objects |
Permission |
Allow |
- |
Write all properties |
ADS_RIGHT_DS_WRITE_PROPERTIES |
- |
Modify permissions |
ADS_RIGHT_WRITE_DAC |
- |
All validated writes |
ADS_RIGHT_DS_SELF |
- |
All extended writes |
ADS_RIGHT_DS_CONTROL_ACCESS |
- |
Create all child objects |
ADS_RIGHT_DS_CREATE_CHILD |
- |
ACEs for the _private Container
The _private container is a container for special containers and groups required to implement Delegated Administration Console functionality. It contains the Remove Authenticated Users ACE to prevent all users from accessing the _private container, except those with explicitly authorization.