Access groups were created and directly given the particular rights on the resources
through use of the various Administrative Control wizards. For example, the following
access groups were created for ISA:
. AG-ISA-FullAdmins
. AG-ISA-MonitoringAuditors
. AG-ISA-Auditors
To allow the Security Admins to be full ISA Admins, the RG-IT-SecurityAdmins group was
added as a member of the AG-ISA-FullAdmins group. For the Helpdesk resources to
monitor ISA, they were added into the AG-ISA-MonitoringAuditors group.
437 Delegating and Customizing Administrative Access to the ISA Console
16
With this type of model in place, when a new employee comes into the organization into
a particular role, or when an employee changes his role, only the role group membership
needs to be changed, which automatically grants access to the resources that job requires.
It also makes it very easy to audit administrative access to an environment.
This concept is very useful for administering an ISA server environment, and can also be
extended for use with the administration of other components in an environment.
NOTE
For ISA servers that are not domain members, local groups on the ISA server can be
used in the same type of capacity.
Pages:
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690