Chat now with support
Chat with Support

Active Roles 8.0 LTS - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Microsoft 365 Groups Managing Azure Security Groups Managing cloud-only distribution groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Active Roles integration with other One Identity and Quest products Appendix F: Active Roles integration with Duo Appendix G: Active Roles integration with Okta Active Roles Language Pack

Creating a Policy Object

The Active Roles console provides separate wizards for creating Policy Objects in each category—provisioning and deprovisioning. You can start the wizards from the Administration container, located under Configuration/Policies in the console tree:

  • To configure provisioning policies, right-click Administration in the console tree, and select New | Provisioning Policy.
  • To configure deprovisioning policies, right-click Administration in the console tree, and select New | Deprovisioning Policy.

If you need to manage a large number of Policy Objects, it is advisable to create containers that hold only specified Policy Objects for easy location: In the console tree, right-click Administration and select New | Container. Then, you can use wizards to create Policy Objects in that container: Right-click the container and select New | Provisioning Policy or New | Deprovisioning Policy.

On the Welcome page of the wizard, click Next. Then, on the Name and Description page, type a name and description for the new Policy Object. The Active Roles console will display the name and description in the list of Policy Objects in the details pane.

Click Next to continue. This displays a page where you can select the policy you want to configure. The list of policies depends on whether you are creating a Provisioning Policy Object or Deprovisioning Policy Object. For instance, the list of provisioning policies looks as shown in the following figure.

Figure 37: Provisioning policies

On the Policy to Configure page, select the type of policy you want to add to the Policy Object. When the type is selected, its description is displayed in the lower box.

Click Next to configure the policy. The steps involved in configuring a policy depend on the policy type. For instructions on how to configure policies, see Policy configuration tasks later in this chapter.

When you are done with configuring a policy, the wizard presents you with a page where you can specify the policy scope. You have the option to complete a list of containers or Managed Units on which you want the policy to be enforced. This step is optional because you can configure the policy scope after creating the Policy Object (see Applying Policy Objects later in this chapter).

Click Next, and then click Finish to complete the wizard. This creates the new Policy Object.

Steps for creating a Policy Object

To create a Policy Object

  1. In the console tree, under Configuration | Policies | Administration, locate and select the folder in which you want to add the Policy Object.

You can create a new folder as follows: Right-click Administration and select New | Container. Similarly, you can create a sub-folder in a folder: Right-click the folder and select New | Container.

  1. Right-click the folder, point to New, and then click Provisioning Policy or Deprovisioning Policy.
  2. On the Welcome page of the wizard, click Next.
  3. On the Name and Description page, do the following:
    1. In the Name box, type a name for the Policy Object.
    2. Under Description, type any optional information about the Policy Object.

    Click Next.

  4. On the Policy to Configure page, select a policy type, and click Next to configure policy settings.
  5. On the Enforce Policy page, you can specify the objects to which this Policy Object is to be applied:
    • Click Add, and use the Select Objects to locate and select the objects you want.
  6. Click Next, and then click Finish.

NOTE:

Adding, modifying, or removing policies

Although the New Policy Object wizard makes it possible to configure only one policy, a Policy Object may include multiple policies. You can add policies, remove policies, and modify policy options in an existing Policy Object by managing its properties: Right-click the Policy Object and then click Properties.

To add, remove, or edit policies in a Policy Object, go to the Policies tab in the Properties dialog box. The tab is shown in the following figure.

Figure 38: Policy Objects Management

The Policies tab displays a list of policies defined in the Policy Object. Each list entry includes an icon denoting policy type and policy description. The policies are executed in the order shown in the list. To change the order, use the arrows in the lower-right corner of the tab.

On the Policies tab, you can perform the following management tasks:

  • Add policy.  Click the Add button and follow the instructions in the wizard, which depend on whether you are configuring a Provisioning Policy Object or Deprovisioning Policy Object.

    The wizard prompts you to select the type of policy to add and then guides you through the steps to configure the policy. The steps to configure a policy depend on the policy type. For instructions on how to configure policies, see Policy configuration tasks later in this chapter.

  • Delete policy.  Select policies from the list and click the Remove button. This permanently deletes the policies you have selected.
  • Modify policy.  Select a policy from the list and click the View/Edit button. This displays the Properties dialog box for the policy you have selected.

    The Properties. dialog includes several tabs, with each tab containing the same options as the corresponding page of the wizard used to configure the policy. You can manage policy options the same way as you do when initially configuring the policy.

  • Disable all policies.  For troubleshooting purposes, you may need to stop enforcement of the policies without actually deleting them. To accomplish this, select the Disable all policies included in this policy object check box.

NOTE: The policies that can be added to a given Policy Object depend on the type of the Policy Object. A Provisioning Policy Object can only include provisioning-related policies whereas a Deprovisioning Policy Object can only include deprovisioning-related policies (see Provisioning Policy Objects and Deprovisioning Policy Objects earlier in this document).

Steps for adding policies to a Policy Object

To add a policy to a Policy Object

  1. In the console tree, under Configuration | Policies | Administration, locate and select the folder that contains the Policy Object you want to modify.
  2. In the details pane, right-click the Policy Object, and then click Properties.
  3. On the Policies tab, click Add to start a wizard that helps you configure a policy.
  4. On the Welcome page of the wizard, click Next.
  5. On the Policy to Configure page, select the type of the policy you want to add.
  6. Configure policy settings. For instructions, see Policy configuration tasks.

NOTE:

  • The Policies tab lists the policies that are configured in the Policy Object. You can use the Policies tab to add, modify, or delete policies from the Policy Object.
  • Active Roles processes policies in the order they are listed on the Policies tab. To change the order, select a policy and click or to move the policy up or down in the list.
  • Once a Policy Object is applied within Active Roles to determine policy settings in the directory, any changes to the list of policies in the Policy Object causes the policy settings in the directory to change accordingly.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating