Chat now with support
Chat with Support

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Configuring role-based administration

To provide additional flexibility beyond the system-provided Active Directory Users and Computers tool in delegating administrative responsibilities, Active Roles supports:

  • Consolidating permissions into customizable administrative roles, known as Access Templates.

    Access Templates are collections of permissions representing administrative roles. Permissions are used to allow or deny certain administrative operations to a user or group. You can create an Access Template that incorporates all permissions required to perform a particular administrative role.

  • Claims-based authorization rules (known as "Access Rules") to allow or deny access to Active Directory objects.

    Access rules improve access control management for Active Directory administration. With access rules, Active Roles adds more flexibility and precision in delegating control of Active Directory objects, such as users, computers or groups, through the use of claims (the Active Directory user and computer properties) in the Active Roles authorization model.

TIP: For more information on these role-based administration features, see Access Templates and Access Rules in the Active Roles Feature Guide.

Access Template management tasks

This section guides you through the Active Roles Console to manage Access Templates.

Using predefined Access Templates

Active Roles offers an extensive suite of preconfigured Access Templates that represent typical administrative roles, enabling the correct level of administrative authority to be delegated quickly and consistently.

The predefined Access Templates are located in containers under Configuration > Access Templates in the Active Roles Console. You can display a list of Access Templates in the details pane by expanding Configuration > Access Templates, then selecting one of these containers in the Console tree:

  • Active Directory

  • AD LDS (ADAM)

  • Azure

  • Builtin

  • Computer Resources

  • Configuration

  • Exchange

  • Skype for Business Server

  • Starling

  • User Interfaces

  • User Self-management

For more information on predefined Access Templates and their recommended use, see the Active Roles Built-in Access Templates Reference Guide.

Creating an Access Template

You can create a new Access Template for role-based delegation with the Active Roles Console.

NOTE: Creating and managing Access Templates is done with the Add Permission Entries Wizard. For the detailed description of the wizard, see Add Permission Entries Wizard in the Active Roles Feature Guide.

To create an Access Template

  1. In the Console tree, under Configuration > Access Templates, locate and select the folder in which you want to add the Access Template.

    NOTE: Consider the following when creating an Access Template:

    • You can create a new folder by right-clicking Access Templates and selecting New > New Access Template Container. Similarly, you can create a sub-folder in a folder by right-clicking the folder, and selecting New > Access Template Container.

    • One Identity recommends storing custom Access Templates in a separate container.

  2. To start the New Object - Access Template wizard, right-click the folder, and select New > Access Template.

  3. On the first page of the wizard, do the following, then click Next:

    1. In the Name box, enter a name for the Access Template.

    2. (Optional) In the Description box, type any information about the Access Template.

  4. On the second page of the wizard, configure the list of permission entries, then click Next.

  5. Click Finish to create the Access Template that includes the permission entries you have specified.

To add a permission entry to an Access Template

  1. In the Active Roles Console, select the Access Template you want to modify.

  2. To start the Add Permission Entries Wizard, on the page that displays a list of permission entries included in the Access Template, click Add.

  3. On the first page of the wizard, select one of these options:

    • All object classes: The rights defined by this permission entry apply to objects of any class.

    • Only the following classes: The rights defined by this permission entry apply to objects of specific classes. Select object classes from the list. If the list does not include the object class you want, select Show all possible classes.

  4. Click Next.

  5. On the second page of the wizard, select one of these options:

    • Full control access: The rights to create or delete child objects, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with any extended right. This option does not have any configuration parameters.

    • Object access: The rights to exercise certain generic permissions and extended rights on the objects. Select permissions and extended rights from the list to configure this option as appropriate.

    • Object property access: The rights to read or write certain properties of the object. Select check boxes to configure this option as appropriate: Read properties, Write properties. On the next page of the wizard, you can select the properties you want to be controlled by this permission entry.

    • Creation/Deletion of child objects: The rights to create or delete child objects of the object. Select check boxes to configure this option as appropriate: Create child objects, Delete child objects, Move objects into this container. On the next page of the wizard, you can specify the class or classes of child object you want to be controlled by this permission entry.

  6. If you want the Access Template to deny the rights defined by this permission entry, select the Deny permission check box. Otherwise, leave the check box cleared.

  7. Do the following, depending on the option you selected and configured in Step 4:

    • Full control access or Object access: Click Finish to add the permission entry to the Access Template.

    • Object property access or Creation/Deletion of child objects: Click Next to continue configuring the option.

  8. Continue configuring the option you selected in Step 4. then, to add the permission entry to the Access Template, click Finish:

    • If you selected Object property access, select the properties to be controlled by this permission entry. You have two options: All properties and The following properties. With the second option, you must select properties from the list. If the list does not include the property you want, select Show all possible properties.

    • If you selected Creation/Deletion of child objects, specify the class or classes of child object to be controlled by this permission entry. You have two options: Child objects of any class and Child objects of the following classes. With the second option, you must select one or more object classes from the list. If the list does not include the object class you want, select Show all possible classes.

To view or modify a permission entry in an Access Template

  1. In the Active Roles Console, select the Access Template you want to modify.

  2. On the page that displays a list of permission entries included in the Access Template, select the permission entry you want to view or modify. Then, to display the Modify Permission Entry dialog, click View/Edit.

  3. Examine the Apply Onto tab in the Modify Permission Entry dialog. On this tab, you can view or modify the same settings as on the first page of the Add Permission Entries Wizard.

  4. Examine the Permissions tab in the Modify Permission Entry dialog. This tab provides the same options as the second page of the Add Permission Entries Wizard. The options are read-only, so you cannot change the option that was selected upon creation of the permission entry. However, you can manage the configuration of the option:

    • Object access: Select generic permissions or extended rights you want to add to the Access Template.

    • Object property access: Select or clear these check boxes: Read properties, Write properties.

    • Creation/Deletion of child objects: Select or clear these check boxes: Create child objects, Delete child objects, Move objects into this container.

  5. (Optional) If you want the Access Template to deny the rights defined by this permission entry, select the Deny permission check box on the Permissions tab. Otherwise, leave the check box cleared.

  6. If Object property access is selected on the Permissions tab, use the Object Properties tab in the Modify Permission Entry dialog to view or modify the settings that determine which properties are controlled by this permission entry.

  7. If Creation/Deletion of child objects is selected on the Permissions tab, use the Object Classes tab in the Modify Permission Entry dialog to view or modify the settings that determine which classes of child object are controlled by this permission entry.

To delete a permission entry from an Access Template

  1. In the Active Roles Console, select the Access Template you want to modify.

  2. On the page that displays a list of permission entries included in the Access Template, select the permission entry you want to delete, and click Remove.

  3. To confirm deleting the permission entry, click Yes.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating