1
00:00:06,860 --> 00:00:13,080
This lesson will be talking about security roles for senior administration.

2
00:00:13,260 --> 00:00:24,620
Let's start so rule based administration in ADC s provides the ability to delegated the predefined permissions

3
00:00:24,890 --> 00:00:34,190
that are available on a C to groups that you create in 80 Days for enterprise C S or the local security

4
00:00:34,190 --> 00:00:42,570
account manager database for a standalone sees that are not domain members although you can assign C

5
00:00:42,570 --> 00:00:47,850
permissions to a specific user object and a best practice.

6
00:00:47,850 --> 00:00:56,790
It is recommended that you only do the get permissions to a group delegating to a group reduces the

7
00:00:57,150 --> 00:01:06,240
required administrative effort and provides transparency of what permissions you have assigned each

8
00:01:06,240 --> 00:01:15,810
role that you create should only be able to perform a pre-determined task or serious of tasks that you

9
00:01:15,810 --> 00:01:17,790
assign to a security group.

10
00:01:19,030 --> 00:01:27,580
Let's review the following rules their permissions and let us review their description of each role.

11
00:01:28,520 --> 00:01:32,970
We have got CIA administrator it man.

12
00:01:33,080 --> 00:01:39,030
He may he or she managers see issue and manage certificates.

13
00:01:39,050 --> 00:01:43,030
This role is assigned in the certification authority.

14
00:01:43,050 --> 00:01:53,880
Council user assumes this role can configure all aspects of the ACA and assign the other roles as necessary.

15
00:01:53,950 --> 00:02:02,940
The next role is certification cert manager he or she issues and manages certificates.

16
00:02:02,940 --> 00:02:12,390
This role is assigned in the C Council and other role is backup operator he or she backs up files and

17
00:02:12,870 --> 00:02:16,400
directories restores files and directories.

18
00:02:16,410 --> 00:02:24,150
This role is an operating system role that the membership in the local backup operator security group

19
00:02:24,180 --> 00:02:33,350
defines they've got as well auditor he or she manages auditing and security.

20
00:02:33,350 --> 00:02:42,110
This role is them operating system role that the local security policy on the C defiance and the last

21
00:02:42,110 --> 00:02:53,630
role is and Raleigh's they request certificates defiant of the seeing object or in role defined on the

22
00:02:53,630 --> 00:02:55,670
certificate template.

23
00:02:55,670 --> 00:03:05,340
This role scene is a C a role that enables assigned users to see the C and request certificates.

24
00:03:05,390 --> 00:03:12,080
It does not imply that assigned to users have permissions to enroll because that permission is assigned

25
00:03:12,080 --> 00:03:14,220
on a certificate template.

26
00:03:14,330 --> 00:03:23,090
By default the authenticated user a security principal has to request certificates permissions on SC.

27
00:03:23,600 --> 00:03:31,220
However you might have more specific rules that assign enrollment permissions for rich unique template

28
00:03:31,520 --> 00:03:33,560
that your organization requires.

29
00:03:34,870 --> 00:03:43,600
Please know that the local administrators group on a C as the manager S.A. and issue and manage certificates

30
00:03:43,600 --> 00:03:53,290
permissions by default on enterprise C this permissions also extend to the domain Edmonds sound enterprise

31
00:03:53,290 --> 00:04:02,800
admins groups on stand alone says that are joined to the main members of the domain admins group also

32
00:04:02,800 --> 00:04:14,540
have full administrative rights on the C now some votes about create security rules for a DC s administration.

33
00:04:14,700 --> 00:04:22,230
You should be aware that ADC is does not automatically create the roles and groups that are listed in

34
00:04:22,230 --> 00:04:23,480
the table above

35
00:04:26,200 --> 00:04:34,720
when you install it this year the urls listed above are representative of a typical ADC deployment where

36
00:04:34,720 --> 00:04:43,870
you desire a rule based administration rule based administration must be unique to each ADC as deployment

37
00:04:45,480 --> 00:04:55,000
therefore you should plan and create only the roles that are necessary for your organization.

38
00:04:55,070 --> 00:05:02,840
Let's take a look at the following scenario and think about how we could configure role based administration

39
00:05:02,840 --> 00:05:05,930
to meet the requirements now.

40
00:05:05,950 --> 00:05:14,950
You are the ADC yes administrator for a data corporation you have deployed a standalone route see that

41
00:05:14,950 --> 00:05:23,590
is joint to the domain and to enterprise subordinate seize once subordinates a real issue user certificates

42
00:05:24,100 --> 00:05:28,510
and the other subordinates they will issue computer certificates.

43
00:05:28,600 --> 00:05:38,520
You want to set up a rule based administration so that you can have the following roles are always managed

44
00:05:38,520 --> 00:05:49,060
see and issue and manage certificates rights on all Cs in their hierarchy are always managed C and issued

45
00:05:49,070 --> 00:05:58,110
minute certificates rights on subordinates is on a roll with issue and manage certificates rights for

46
00:05:58,110 --> 00:06:07,630
the user certificate template and our role with issue and manage certificate rights for the computer

47
00:06:07,630 --> 00:06:17,070
a certificate template now you would configure role based ADC as administration by these following steps

48
00:06:17,580 --> 00:06:26,880
you have to create a security group in a d d s that alliance to each role you want to assign in a DCF

49
00:06:27,510 --> 00:06:34,080
based on the requirements above you would create the following groups for each required role you would

50
00:06:34,080 --> 00:06:45,140
create enterprise PCI admins subordinate C Edmonds user of CERT managers and computer cert managers

51
00:06:46,040 --> 00:06:56,420
on Step 2 on each C in hierarchy you assign the enterprise B guy admins group the manage c end issue

52
00:06:56,480 --> 00:07:06,300
and manage cert permissions in the certification authority council step three would be on each subordinate

53
00:07:06,300 --> 00:07:15,450
C you assign the subordinate C admins group the manage C and issue and manage certificates permissions

54
00:07:15,720 --> 00:07:17,540
in the certification authority.

55
00:07:17,550 --> 00:07:28,600
Council step 4 would be on the subordinate C that real issue user certificates you assign the user certificate

56
00:07:28,610 --> 00:07:37,590
managers group their issue and manage certificate permissions in the certification authority council

57
00:07:37,950 --> 00:07:39,380
on the certificate.

58
00:07:39,390 --> 00:07:48,960
Manager step of the C properties you restrict their user certificate managers group to the user certificate

59
00:07:48,960 --> 00:07:58,800
template and step 4 step 5 sorry would be on the subordinate C that will issue computer certificates

60
00:07:59,240 --> 00:08:06,030
you are assigned a computer certificate managers group the issue and manage certificates permissions

61
00:08:06,030 --> 00:08:15,400
in the certification authority cancel out all the certificate manager of step of the C properties you

62
00:08:15,400 --> 00:08:25,250
restrict the computer certificate managers group to the computer certificate template next up we'll

63
00:08:25,250 --> 00:08:32,810
be talking about configuring C policy and exit modules I'll see you there.