Chat now with support
Chat with Support

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Minimum required permissions of the Active Roles service account

Active Roles performs operations on directory objects on behalf of delegated users. Because of this, the Active Roles service account that is used to manage the Active Directory domain requires adequate permissions.

NOTE: One Identity strongly recommends to manage the Active Directory domain using an account that is a member of the Domain Admins role group. If this condition is not met, the information and instructions provided in the official One Identity product documentation may not be applicable to your Active Roles installation.

TIP: One Identity recommends using separate service accounts for service tasks and for domain management duties. Doing so can ensure that you can use the service account with the minimum required permissions listed below. However, consider that the proxy account must still be a member of the Domain Admins role group to stay within the support model of Active Roles.

The service account credential has the following five main roles.

Accessing the Administration Service computer

To meet this requirement, the service account must be a member of the Administrators group on the computer running the Active Roles Administration Service.

Service publication in Active Directory

Once configured, the Administration Service attempts to publish itself in Active Directory, so that Active Roles clients can automatically discover the Administration Service instance.

NOTE: While this functionality is not critical, if the service publication permissions are not granted, Active Roles clients will not be able to automatically discover the Active Roles Administration Service instance. However, they can still connect to the Administration Service if they specify in Active Roles Console either the service name or the IP address of the computer running the instance.

For more information, see Service publication in Active Directory in the Active Roles Installation Guide.

Running all Script Modules under the security context of the Active Roles Service Account

The permissions required by custom scripts vary according to the requirements of the individual scripts. As such, review them on a case-by-case basis as a Best Practice security model.

Connecting to the Microsoft SQL database

In some Active Roles configurations, assigning the SQL database connection permissions to the service account is optional, as you can also use an SQL Authentication credential (which then receives the required permissions instead of the service account).

For more information on the necessary SQL Server permissions, see SQL Server Permissions in the Active Roles Quick Start Guide.

Synchronizing native permissions to Active Directory

The service account must have the Read Permissions and Modify Permissions rights on the Active Directory objects and containers where you want to use the Active Roles security synchronization feature.

Configuring rule-based administrative views

To provide additional flexibility beyond the default Active Directory and Azure AD capabilities in managing directory resources, Active Roles supports creating, editing and deleting securable, flexible, rule-based administrative views, known as Managed Units (MUs).

With MUs, administrators can configure distributed administration units independent of the OU hierarchy. As such, MUs are dynamic virtual collections of AD or Azure AD directory objects, and may include them regardless of their location in the organization network.

TIP: For more information on Managed Units and their main features, see Managed Units in the Active Roles Feature Guide.

Administering Managed Units

This section guides you through the Active Roles Console to administer Managed Units.

Creating a Managed Unit

You can create a new Managed Unit (MU) in the Active Roles Console.

Prerequisites

To create MUs in the Active Roles Console, you must use an Active Roles Administration Service account. For more information, see Configuring the Administration Service account in the Active Roles Quick Start Guide.

To create a new Managed Unit (MU) in the Active Roles Console

  1. In the Active Roles Console, on the Console tree, navigate to Configuration > Managed Units.

  2. To open the New Object - Managed Unit wizard, right-click the Managed Units node, then click New > Managed Units.

    TIP: If you need to manage a large number of MUs in your organization, One Identity recommends creating separate MU containers for your specific MUs.

    To create a new container for the configured MU, right-click on the Managed Units node, then click New > Managed Unit Container.

    Figure 1: Active Roles Console – Launching the Managed Unit Container dialog

    Once the new container is created, right-click it in the Console tree and select New > Managed Unit to create a new MU in the container. To move an existing, non built-in MU to the container, right-click the MU, and select Move.

  3. In the Name step, specify a Name and optionally, a Description for the new MU. This name and description will appear in the Active Roles details pane when selecting the MU.

    Figure 2: New Object - Managed Unit wizard – Specifying the Name and Description

    To continue, click Next.

  4. To specify a new membership rule for the MU, in the Membership rule step, click Add.

    Membership rules define which directory objects get assigned to the MU. Active Roles populates the MU dynamically based on the configured rules, adding objects that match their criteria and removing those later that no longer do.

    Figure 3: New Object - Managed Unit wizard – Membership rule list

  5. In the Membership Rule Type dialog, select the rule type used to populate the MU. A membership rule can be a search query, a static object inclusion or exclusion rule, or group membership inclusion and exclusion rule.

    Figure 4: New Object - Managed Unit wizard – Membership rule type selection

    Active Roles supports the following membership rule types:

    Table 1: Managed Unit membership rules
    Rule name Description
    Include Explicitly

    Includes the Active Directory (AD) or Azure Active Directory (Azure AD) objects you select in the wizard.

    Once selected, Active Roles will keep the objects included in the MU even if they are updated, renamed, or moved elsewhere within your organization directory.

    Include by Query

    Lets you define a custom query that the AD or Azure AD objects must match to be included in the MU. The query editor dialog lets you select the object type and location (such as AD domain or Azure tenant), then dynamically populates the dialog with settings according to the object type you selected.

    The dialog also offers Advanced query settings to configure queries by specifying the following elements to check:

    • Object types and properties

    • Logical conditions

    • Specified values

    Once you configure a query, you can test it with the Preview Rule button.

    NOTE: Consider the following when configuring a custom query:

    • The Include by Query membership rule does not support Azure contacts and Azure distribution groups. To include Azure contacts or Azure distribution groups in an MU, use the Include Explicitly rule type.

    • If you configure a Managed Unit with an Include by Query rule, the following condition operators cannot query Azure objects due to Graph API limitations:

      • Contains

      • Present

    • The contents of the Condition drop-down list are static, and may contain logical conditions that do not work with the selected object attribute (for example, selecting Greater or equal for the edsaAzureManager Azure AD attribute returns no results). Always make sure to select a logical condition against which Active Roles can enumerate the value of the selected Azure attribute.

    • When querying Azure object attributes, the Ends with condition returns results only if you specify whole words. The only exceptions to this behavior are the mail, otherMails, userPrincipalName and proxyAddresses attributes, where Ends with can properly query the values that end with your specified string.

      For more information, see Support for filter by properties of Microsoft Entra ID (directory) objects in the Microsoft Graph documentation.

    • You can query the edsaAzureManager attribute with the Is not condition only if the query rule is used in an AND relationship with another query rule. Querying the edsaAzureManager attribute with the Is not condition returns no results if the query rule is used alone or in an OR relationship.

    Include Group Members

    Includes the members of the selected AD or Azure AD groups.

    Once selected, Active Roles will keep the MU membership dynamically up-to-date: if new members are added to the selected groups, Active Roles will also include them in the MU; and likewise, members removed from the included groups will also be removed from the MU.

    Exclude Explicitly

    Excludes the AD or Azure AD object you select in the MU.

    Once selected, Active Roles will keep the objects excluded from the MU even if they are updated, renamed, or moved elsewhere within your organization directory.

    NOTE: Consider the following when selecting this membership rule:

    • The Exclude Explicitly rule takes precedence over all other membership rule types. Because of this, Active Roles will exclude the objects specified with this rule, even if another rule specifies that Active Roles must include them in the MU.

    • This rule excludes only objects that match one of the inclusion rules of the MU.

    Exclude by Query

    Lets you define a custom query that the AD or Azure AD objects must match to be excluded from the MU. Once configured, Active Roles will automatically exclude objects that meet the query conditions.

    The query editor works and functions the same way as it does when configuring an Include by Query rule, and also shares the same limitations listed there.

    NOTE: This rule excludes only objects that match one of the inclusion rules of the MU.

    Exclude Group Members

    Excludes the members of the selected AD or Azure AD groups.

    Once selected, Active Roles will keep the MU membership dynamically up-to-date: if new members are added to any of the selected groups, Active Roles will exclude them from the MU. Likewise, if a member is removed from all specified groups, Active Roles will add them to the MU, provided that the member meets a configured inclusion rule.

    NOTE: This rule excludes only objects that match one of the inclusion rules of the MU.

    Retain Deprovisioned

    Configures the MU to also include and keep deprovisioned objects that meet the membership rules.

    If this rule is not selected, Active Roles automatically removes deprovisioned objects from the MU.

    NOTE: The exclusion rules affect only objects that match one of the inclusion rules configured for the MU.

    For example, if a container is explicitly included in an MU, then all objects held in that container are also included in the MU. However, you cannot exclude any of those objects themselves with exclusion rules, as it is their container that meets the inclusion rules in this case. To exclude the objects of the container, you must configure an exclusion rule for the container instead.

  6. Configure the selected membership rule:

    • If you selected the Include Explicitly or Exclude Explicitly rule type, the Select Objects dialog appears. Select the objects you want to include or exclude from the MU, click Add, and then click OK.

    • If you selected the Include Group Members or Exclude Group Members rule type, the Select Objects dialog appears, listing the available groups. Select the AD or Azure AD groups you want to include, click Add, and then click OK. All members of the selected groups will be included or excluded from the MU.

    • If you selected the Include by Query or Exclude by Query rule type, the Create Membership Rule dialog appears. Use the dialog to configure your inclusion or exclusion rule.

  7. (Optional) To configure additional rules, click Add again.

    NOTE: If you add several membership rules to an MU, Active Roles runs them in the order you configured them. If some of the configured rules conflict with each other, Active Roles resolves the conflict by prioritizing the configured Exclude rules over the configured Include rules.

  8. Once you finished adding all membership rules, click Next.

  9. (Optional) In the Object Security / Policy Objects step, specify the permissions and policy objects related to the configured MU.

    Figure 5: New Object - Managed Unit wizard – Access Template and Policy Object links

  10. To finish configuring the MU, click Next and Finish.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating