With Active Roles 6.9 that is available for download since Nov'12 you get more abilities for control deletation over your Active Directory.
Key point of this feature is Conditions which you can apply to Access Templates when you delegate control to someone in Active Roles.
These Conditions define when, in which cases these Access Templates are effective.
With Conditions you can compare properties of trustee and target objects, combine such comparions with AND- and OR-operators.
These Conditions brings more flexibility in control delegation.
- You have georgaphicaly distribute organization, many delagated admins in each location. And you want to allow degated admins to reset passwords of users in their locations ONLY.
Access Template: User - Reset Password
Condition: Admin.Location is equal to Target User.Location
- Your admins can manage all user accounts, but want to prevent less-expiriensed admins from managins user accounts in some OUs.
Access Template: Users - Modify All Properties
Condition: Admin.JobTitle is not 'Student Admin'
These Conditions alows you also to simplify your delegation model, reduce number of Access Templates in use, and in some cases improve Active Roles perfomance.
Here are some screenshots of the feature: