How to tune delegation incrementally when required

As you know, delegation is one of the major ActiveRoles features. When you develop your administration and security design, you need to define delegated administrators (Trustees), administrative roles (Access Templates) and managed objects.

Access Templates are collections of permissions representing administrative roles. Permissions are used to allow or deny certain administrative operations to a user or group.

To assign the role to a user or group, you should link the Access Template to a Managed Unit, Organizational Unit, domain, or individual object, depending on the scope of the role, and then select a user or group to designate as a Trustee. As a result, the individual user, or each member of the group, acquires the rights specified by the role to administer objects that reside in the collection or folder to which the Access Template has been linked.

ActiveRoles offers an extensive suite of preconfigured Access Templates that represent typical administrative roles. But how to tune delegation incrementally, in order it suits your specific needs? The answer is not to use built-in access templates but create your own Access Template and nest built-in there. You can't change built-in Access Templates. So, use built-in Access Templates only for testing/lab work. In production create your own. That would allow you to incrementally tune delegation when required, rather then start over.