Chat now with support
Chat with Support

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Exporting and importing a Managed Unit

With the Active Roles Console, you can export Managed Units to an .xml file and then import them from that file to populate another instance of Active Roles. The export and import operations provide a way to move Managed Units from a test environment to a production environment.

To export Managed Units, select them, right-click the selection, and select All Tasks > Export. In the Export Objects dialog, specify the file where you want to save the data, and click Save.

To import Managed Units, right-click the container where you want to place the Managed Units, then click Import. In the Import Directory Objects dialog, select the file to which the Managed Units were exported, and click Open.

NOTE: When you export and then import a Managed Unit, only membership rules are transferred along with other properties of the Managed Unit. The permission and policy settings of the Managed Unit are not exported. You need to reconfigure them manually after you import the Managed Unit.

Renaming a Managed Unit

You can rename a Managed Unit with the Rename setting of the Active Roles Console.

To rename a Managed Unit

  1. In the Active Roles Console, on the Console tree, navigate to Configuration > Managed Units.

  2. Under Managed Units, locate the Managed Unit you want to rename, right-click it, and click Rename.

  3. Enter a new name, then press Enter.

NOTE: Renaming a Managed Unit does not affect the membership rules, permission settings, or policy settings associated with the Managed Unit.

Deleting a Managed Unit

You can delete existing Managed Units with the Active Roles Console.

To delete a Managed Unit

  1. In the Active Roles Console, on the Console tree, navigate to Configuration > Managed Units.

  2. Under Managed Units, locate the Managed Unit you want to delete, right-click it, and click Delete.

NOTE: When you delete a Managed Unit, its members are not deleted. However, the permission settings and the policy settings that were specified via the Managed Unit are no longer in effect after the Managed Unit has been deleted.

Scenario: Implementing role-based administration across multiple OUs

This scenario involves the creation of an administrative view named Sales in an organization with an OU-based structure of Active Directory.

Suppose an organization has offices in USA and Canada. The rule for including a user in an OU is the geographical location of the user. Therefore, all users who work in USA reside in the USA OU, and those working in Canada reside in the Canada OU.

The offices in USA and Canada each have Marketing, Development, and Sales departments. By creating a Sales MU, it is possible to manage users from the Sales departments in USA and Canada collectively, without changing the actual OU-based structure.

When delegating control of an MU, all users that belong to the MU inherit security settings defined at the level of the Managed Unit. Thus, applying an Access Template to a Managed Unit specifies the security settings for each user in the MU.

To implement this scenario, perform the following steps:

  1. Create the Sales MU.

  2. Add users from the Sales department in USA and Canada to the Sales MU.

  3. Prepare the Sales Access Template.

  4. Apply the Sales Access Template to the Sales MU, and designate an appropriate group as a Trustee.

As a result, the members of the group gain control of user accounts that belong to the Sales MU. The scope of control is defined by the permissions in the Sales Access Template.

The following sections elaborate on the steps to implement this scenario.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating