An example of a role group would be RG-ITSecurityAdmins,
which would be added as a member of the AG-ISAFullAdmins
access group. Role groups are best created as Active Directory Global groups.
NOTE
The terms access group and role group are not official Microsoft terms, but are useful
descriptors to help understand this concept.
436 CHAPTER 16 Administering an ISA Server 2006 Environment
Illustrating a Role-Based Access Approach
To illustrate this concept, take fictional CompanyABC. CompanyABC has several job types
within the company, such as the following:
. Human Resources Officer
. Marketing Analyst
. Accountant
. Information Technology Engineer
. Manager
. Security Admins
. IT Helpdesk
. Salesperson
In Active Directory, global groups were created at CompanyABC to correspond to each of
these groups, such as the following:
. RG-HROfficers
. RG-MarketingAnalysts
. RG-Accountants
. RG-ITEngineers
. RG-Managers
. RG-IT-SecurityAdmins
. RG-IT-Helpdesk
. RG-Salespersons
CompanyABC spent the time auditing what each role needed to access. They determined
different types of access requirements for each role. For example, they determined that the
Security Admins required full control of the ISA infrastructure, whereas the Helpdesk
needed only to monitor ISA, as well as to perform multiple other tasks within the organization.
Pages:
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689