Firstly, I'm not sure this is the best place to be asking this
question, so if you know of a better location then please let me know.

I've recently configured an ADAM instance to hold an AzMan application
store to authorise my users to perform specific actions within my web
app. This works just great and everyone is happy. That's the good
news. The bad news is that whilst managing the store locally on my PC
I decided (based on lack of information) to delete the store rather
than close it through my AzMan snap-in. The result? Not entirely
unexpected as it deleted the store from ADAM and hence stopped all
authorisation requests. It took me an hour to rebuild the store as
backups were not what they should have been (that's another issue).

So on to my question: Is it possible to grant some administrator users
access to a store, but amend their permissions so that they can not
delete it? I would envisage that another administator user still
remain defined who does have permissions, but that this account would
be a special setup and not a day to day account.

Regards,

mike

Yes, although you can't use the actual Adminstrators role group for this.
You'd need to create your own group and delegate specific permissions in
ADAM. Essentially, you want to ensure that you grant the appropriate create
and modify permissions without delete or delete tree. Don't give "full
control".

Permissions in ADAM use the same model as AD which is very granular.
However, it can be a little confusing figuring out what exactly you need to
grant to get the behavior you want. Testing with test objects you create is
a good idea.

Use the ACL editor in LDP to get the most control/visibility into what you
are actually setting.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"<M>" <m_dinnis (AT) hotmail (DOT) com> wrote