I used the same process to assign all ActiveRoles, and I accepted the default setting for inheriting permissions from parent objects in all cases. The same mechanism that lets you assign roles lets you change role assignments. To remove an object from DM/ActiveRoles' control, right-click the object and select Remove From Control from the resulting menu.
Because the product uses native ACEs that you can modify outside of DM/ActiveRoles, the software includes a utility—Check ActiveRoles—for verifying that object access permissions match the permissions that you specify in the applied role. As a test, I changed some ACEs on an object, then right-clicked the controlled object and selected Check ActiveRoles. I received a message that the native permissions were out of sync with the ActiveRoles-defined ACEs. The message asked whether I wanted to add the missing ACEs to the native permissions. I clicked Yes, and DM/ActiveRoles restored the ACEs to their ActiveRole-defined states.
The Role Composition Console
The Role Composition Console (RCC) is integral to maintaining a simple approach to a complex task. You can use the RCC to choose the visible attributes for a given object. In its development of DM/ActiveRoles, FastLane selected appropriate attributes for standard AD objects, but for schema additions, you'll want to use the RCC.
The RCC is analogous to a restaurant menu. You don't want to order your meal ingredient by ingredient, but you might want to know what comes on a hamburger and be able to hold the onions. The RCC assures you that the application presents only pertinent attributes to the DM/ActiveRoles interface. To test the RCC, I installed a mock AD-integrated application (intended only to extend the schema) that I named ADAPP (as in AD application). I selected a small subset of the available attributes, saved the changes, and returned to the main interface to use the ADAPP object to create a role. When I set access rights for the ADAPP object, only the attributes I specified in the RCC were available.
Reporting
You easily can create detailed reports about controlled objects, accounts, ACEs, and ActiveRoles. I right-clicked the Reports node in the treeview and selected New, Report Template. In the resulting Report Template Wizard dialog box, I provided the type of information I wanted the report to include.
Overall, the wizard-driven reporting tool proved intuitive and easy to use. In minutes, I created several reports detailing my environment. After the wizard completed a report, the name that I gave the report template appeared in the list view; I then could use the report template by double-clicking the listing. The ReportViewer, launched by double-clicking a report template, displayed report output that I could print or save as an HTML document. However, the product lacks the ability to schedule reports and automatically save the output for historical reference.
A Flexible and Powerful Tool
If you're serious about leveraging the power of AD in your environment, take a look at DM/ActiveRoles. The product's ability to simplify AD management saves hours of work and creates a more suitable environment for task delegation. You will find the ability to edit an ActiveRole and have those changes propagate to affected objects especially useful.
The software's documentation is thorough in most categories but shallow in its explanation of how to create ActiveRoles. However, FastLane provides knowledgeable and helpful support engineers who can answer any questions you might have about the product. Other minor usability shortfalls were the inability to logically group ActiveRoles in the list view—including this feature would enhance productivity in environments in which many roles are necessary—and the inability to schedule automated reporting, which would enhance the product's utility.
Judging solely on the likely productivity gains from using DM/ActiveRoles, the price of $7 per managed user is a good value. The efficiency and peace of mind that comes with knowing who has which permissions make DM/ActiveRoles a tool I strongly recommend for deploying and managing AD in a corporate environment.
End of Article
Terminex April 26, 2001