Chat now with support
Chat with Support

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Applying Access Templates

You can assign permissions to Active Directory (AD) objects with Access Templates (ATs) in the Active Roles Console.

Delegating permissions with ATs is an effective method to grant specific types of access for specific users or groups to specific organizational resources. For example, directory administrators of a domain can receive full control for managing that domain, while helpdesk operators can quickly receive permission to reset passwords for domain users.

Active Roles supports specifying ATs to all AD object types: administrative views (Managed Units), directory folders (containers), or individual (leaf) objects as well. When applying an AT to an AD object, you:

  1. Designate a trustee (also known as security principal) who will receive the permissions granted by the AT. Trustees are typically users or groups.

  2. Assign permissions to that trustee for the AD object in the scope of the AT. Such AD objects are called securable objects.

    As a result, the trustee receives access to the securable object according to the permissions defined in the AT.

You can apply ATs to an AD object with the Delegation of Control Wizard. To start the wizard, navigate to either:

  • The AT you want to apply on an AD object. When you start the Delegation of Control Wizard this way, you can select the securable AD objects for which the access is granted, and the trustees who receive the access to those securable objects.

    For the steps of this procedure, see Applying an Access Template directly.

  • The securable AD object (container, Managed Unit or leaf object) whose access and administration permissions you want to configure. When you start the Delegation of Control Wizard this way, you can select the trustees who receive the access to the securable object and the ATs defining the permissions of the trustees to the securable object.

    For the steps of this procedure, see Applying Access Templates on a securable object.

  • The trustee for which you want to assign permissions. When you start the Delegation of Control Wizard this way, you can select the securable AD object to which the trustee will receive access and the ATs defining the permissions of the trustee to the securable object.

    For the steps of this procedure, see Applying Access Templates on a user or group.

NOTE: ATs support propagating their permission settings for the child objects of the securable objects too.

Applying an Access Template directly

You can configure permissions for a trustee to a securable Active Directory (AD) object via an Access Template (AT) by selecting the AT directly in the Active Roles Console.

To apply an Access Template on a trustee or trustees

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to Configuration > Access Templates.

  2. Right-click the AT you want to assign to a trustee (or trustees), then click Links.

    TIP: For more information on the ATs, see the Description of the AT or the Active Roles Built-in Access Templates Reference Guide document.

  3. In the Links dialog, to start the Delegation of Control Wizard, click Add. Click Next on the Welcome page, when it appears.

  4. In the Objects step, specify the securable objects that you want to add to the scope of the AT.

    • To specify a new securable object or objects, click Add. Then, in the Select Objects window, locate and select the securable objects you want to add to the scope of the AT, and click Add.

      Once you finalized the list, to close the Select Objects window and apply your selection, click OK.

      TIP: If no securable objects appear in the window, use the Click here to display objects link.

      Figure 17: Delegation of Control Wizard – Select objects window when specifying securable objects

      Figure 18: Delegation of Control Wizard – Selecting securable objects

    • To remove securable objects added earlier to the scope of the AT, select them in the Objects step, and click Remove.

    To continue, click Next.

  5. In the Users or Groups step, specify the trustee(s) for which you want to grant the permissions of the AT.

    • To specify a new trustee or new trustees, click Add. Then, in the Select Objects window, locate and select the users or groups you want to add to the scope of the AT, and click Add. Once you finalized the list, to close the Select Objects window and apply your selection, click OK.

      TIP: If no users or groups appear in the window, use the Click here to display objects link.

      Figure 19: Delegation of Control Wizard – Select Objects window when specifying trustees

      Figure 20: Delegation of Control Wizard – Selecting trustees

    • To remove existing trustees added earlier to the scope of the AT, select them in the Users or Groups step, and click Remove.

    To continue, click Next.

  6. In the Inheritance Options step, specify with the Apply permissions onto setting the scope of securable objects to which Active Roles applies the permissions of the AT:

    • This directory object: Trustees receive the AT permissions only to the selected securable object.

    • Child objects of this directory object: Trustees receive the AT permissions to the children of the securable object. To limit the granted permissions only to the direct children of the object, select Immediate child objects only as well.

    Figure 21: Delegation of Control Wizard- Inheritance Options

    To continue, click Next.

  7. In the Permissions Propagation step, to synchronize the configured permission settings to the native Active Directory (AD) access controls, select Propagate permissions to Active Directory.

    Figure 22: Delegation of Control Wizard – Permissions propagation

    Selecting this setting will modify the authorization information of the AD objects with the permission settings defined in Active Roles, providing more flexibility for users and groups that use native AD management tools besides Active Roles.

    IMPORTANT: Selecting this setting will result in trustees keeping their configured permissions outside of the Active Roles environment, with the potential risk of bypassing policies configured and enforced with Active Roles.

    Therefore, select this option only if the selected trustees have the required security clearance and/or meet all security guidelines in effect within your organization.

    TIP: Once Propagate permissions to Active Directory is selected and configured, you can change this setting at any time with the Active Roles Security > Sync to AD setting, or with the Advanced Details > Sync to AD setting. For more information, see Synchronizing permissions to Active Directory.

    To continue, click Next.

  8. To complete the wizard, click Finish.

Applying Access Templates on a securable object

You can configure permissions for a trustee (or trustees) to a securable Active Directory (AD) object via Access Templates (ATs) by selecting the securable object in the Active Roles Console.

To configure permissions with an Access Template from a securable object

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to the securable object for which you want to configure an AT.

  2. To open the Delegation of Control Wizard from the securable object:

    • If the securable object is a container or Managed Unit, right-click the object, then click Delegate Control > Add.

    • If the securable object is a leaf object, right-click the object and click Properties. Then, in the Properties window, click Administration > Security > Add.

    When the Welcome screen of the Delegation of Control Wizard appears, click Next.

  3. In the Users or Groups step, specify the trustee(s) for which you want to grant the permissions of the AT.

    • To specify a new trustee or new trustees, click Add. Then, in the Select Objects window, locate and select the users or groups you want to add to the scope of the AT, and click Add. Once you finalized the list, to close the Select Objects window and apply your selection, click OK.

      TIP: If no users or groups appear in the window, use the Click here to display objects link.

      Figure 23: Delegation of Control Wizard – Select Objects window when specifying trustees

      Figure 24: Delegation of Control Wizard – Selecting trustees

    • To remove existing trustees added earlier to the scope of the AT, select them in the Users or Groups step, and click Remove.

    To continue, click Next.

  4. In the Access Templates step, specify the ATs you want to assign to the selected trustees for the configured securable object. Expand the containers of the ATs, then select the AT or ATs you want to apply.

    Figure 25: Delegation of Control Wizard – Selecting Access Templates

    To continue, click Next.

  5. In the Inheritance Options step, specify with the Apply permissions onto setting the scope of securable objects to which Active Roles applies the permissions of the AT:

    • This directory object: Trustees receive the AT permissions only to the selected securable object.

    • Child objects of this directory object: Trustees receive the AT permissions to the children of the securable object. To limit the granted permissions only to the direct children of the object, select Immediate child objects only as well.

    Figure 26: Delegation of Control Wizard- Inheritance Options

    To continue, click Next.

  6. In the Permissions Propagation step, to synchronize the configured permission settings to the native Active Directory (AD) access controls, select Propagate permissions to Active Directory.

    Figure 27: Delegation of Control Wizard – Permissions propagation

    Selecting this setting will modify the authorization information of the AD objects with the permission settings defined in Active Roles, providing more flexibility for users and groups that use native AD management tools besides Active Roles.

    IMPORTANT: Selecting this setting will result in trustees keeping their configured permissions outside of the Active Roles environment, with the potential risk of bypassing policies configured and enforced with Active Roles.

    Therefore, select this option only if the selected trustees have the required security clearance and/or meet all security guidelines in effect within your organization.

    TIP: Once Propagate permissions to Active Directory is selected and configured, you can change this setting at any time with the Active Roles Security > Sync to AD setting, or with the Advanced Details > Sync to AD setting. For more information, see Synchronizing permissions to Active Directory.

    To continue, click Next.

  7. To complete the wizard, click Finish.

Applying Access Templates on a user or group

You can configure permissions for a trustee (typically a user or group) to a securable Active Directory (AD) object via Access Templates (ATs) by selecting the trustee in the Active Roles Console.

To configure permissions with an Access Template from a trustee

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to the trustee AD object (such as a user or group) for which you want to configure access with an AT or ATs to a securable object.

  2. To open the Delegation of Control Wizard, right-click the trustee, then click Delegated Rights > Add.

    When the Welcome screen appears, click Next.

  3. In the Objects step, specify the securable objects that you want to add to the scope of the AT.

    • To specify a new securable object or objects, click Add. Then, in the Select Objects window, locate and select the securable objects you want to add to the scope of the AT, and click Add.

      Once you finalized the list, to close the Select Objects window and apply your selection, click OK.

      TIP: If no securable objects appear in the window, use the Click here to display objects link.

      Figure 28: Delegation of Control Wizard – Select objects window when specifying securable objects

      Figure 29: Delegation of Control Wizard – Selecting securable objects

    • To remove securable objects added earlier to the scope of the AT, select them in the Objects step, and click Remove.

    To continue, click Next.

  4. In the Access Templates step, specify the ATs you want to assign to the selected trustees for the configured securable object. Expand the containers of the ATs, then select the AT or ATs you want to apply.

    Figure 30: Delegation of Control Wizard – Selecting Access Templates

    To continue, click Next.

  5. In the Inheritance Options step, specify with the Apply permissions onto setting the scope of securable objects to which Active Roles applies the permissions of the AT:

    • This directory object: Trustees receive the AT permissions only to the selected securable object.

    • Child objects of this directory object: Trustees receive the AT permissions to the children of the securable object. To limit the granted permissions only to the direct children of the object, select Immediate child objects only as well.

    Figure 31: Delegation of Control Wizard- Inheritance Options

    To continue, click Next.

  6. In the Permissions Propagation step, to synchronize the configured permission settings to the native Active Directory (AD) access controls, select Propagate permissions to Active Directory.

    Figure 32: Delegation of Control Wizard – Permissions propagation

    Selecting this setting will modify the authorization information of the AD objects with the permission settings defined in Active Roles, providing more flexibility for users and groups that use native AD management tools besides Active Roles.

    IMPORTANT: Selecting this setting will result in trustees keeping their configured permissions outside of the Active Roles environment, with the potential risk of bypassing policies configured and enforced with Active Roles.

    Therefore, select this option only if the selected trustees have the required security clearance and/or meet all security guidelines in effect within your organization.

    TIP: Once Propagate permissions to Active Directory is selected and configured, you can change this setting at any time with the Active Roles Security > Sync to AD setting, or with the Advanced Details > Sync to AD setting. For more information, see Synchronizing permissions to Active Directory.

    To continue, click Next.

  7. To complete the wizard, click Finish.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating