Delegation of permissions to Pointsharp ID storage

Pointsharp ID stores information about its users inside a specified Organisational Unit (OU) in a directory server. In most cases the directory server of choice is Microsoft Active Directory (AD). Pointsharp ID must be able to create, read , write and delete data under the specified Organisational Unit. This guide explains how to delegate the appropriate permissions to the service account that Pointsharp ID is configured to use.

Prerequisites — Remove if not needed

Service Account

A standard user account with no specific permissions.
Pointsharp ID storage OU

A specific OU created for Pointsharp storage only.

Delegate permissions

Follow these steps below to delegate the permissions needed for the service account that Pointsharp ID will use. There are two different ways to delegate these rights:

  • Version 1: Gives a bit better overview when searching for the correct values making it a little bit easier to find the delegation rights to apply.

  • Version 2: This is similar to version 1 but the list of all different rights are very long and it is more difficult to find the correct values.

Version 1

  1. Start an Active Directory Users and Computers console.

  2. Locate the OU that will be used as a Pointsharp Storage.

  3. Right-click the OU and choose Properites.

  4. Go to the Security tab and add the Service Account to be used. If tabs are missing - please enable Advanced Features in the Active Directory Users & Computers GUI.

  5. Click Advanced and locate the Service Account added. Click Edit.

  6. The Type should be set to Allow, and the Applies to should be set to This object and all descendant objects.

  7. Under Permissions, check the following checkboxes:

    • Create Organizational Unit Objects,

    • Delete Organizational Unit Objects,

    • Read all properties, and

    • Write all properties.

  8. Click OK all the way back to finish.

The service account now has the correct permissions on the specified Pointsharp ID storage OU.

Version 2

  1. Start an Active Directory Users and Computers console.

  2. Locate the OU that will be used as a Pointsharp Storage.

  3. Right-click the OU and select Delegate control.

  4. Click Next.

  5. Add the service account and click Next.

  6. Select Create a custom task to delegate and click Next.

  7. Click Next.

  8. Check all three checkboxes under show these permissions (general, property-specific and creation/deletion of specific child objects).

  9. Under Permissions, check the following checkboxes:

    • Create Organizational Unit Objects,

    • Delete Organizational Unit Objects,

    • Read all properties, and

    • Write all properties.

  10. Click Next and finish.

The service account now has the correct permissions on the specified Pointsharp ID storage OU.