立即与支持人员聊天
与支持团队交流

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Creating a script

To create a new script module, in the Console tree, right-click Script Modules and select New > Script Module. This opens the New Object - Script Module Wizard.

TIP: It is advisable to store custom script modules in a separate container. You can create a container as follows: Right-click Script Modules in the Console tree, and select New > Scripts Container. After you have created a container, you can have the wizard add a script module to that container rather than directly to Script Modules: right-click the container in the console tree and select New > Script Module.

The first page of the wizard looks as shown in the following figure.

Figure 52: Script module: Creating a script

Type a name and description for the new script module, and select script language. Then click Next. The next page looks as shown in the following figure.

Figure 53: Script Module: Policy script

On this page, select a type of the script module. Select Policy script to create a script that will be used as part of the Policy Object. The other options are:

  • Scheduled Task script: Script that you can schedule to run on the Administration Service.

  • Library script: Script to be used by other script modules. You can collect commonly used functions into a standalone script module and include it in other modules requiring those functions. This allows you to re-use some pieces of existing scripts, thus reducing development effort and time.

Select Policy script and click Next. This displays the page with a list of event handler functions shown in the following figure.

Figure 54: Script Module: Event handler functions

On this page, select functions to be used in the script, and click Next. Then, click Finish to create the script module.

For instructions and guidelines on how to develop policy scripts, refer to the Active Roles Software Development Kit (SDK).

In the Active Roles Console, you can view and modify scripts, both imported and newly created.

Editing a script

To edit a script, select it in the Console tree under Configuration/Script Modules. You can view and modify the script in the details pane. To start editing the script, right-click the script module and click Edit Script. Then, click Yes to confirm the operation. You can make changes to the script in the details pane.

When you are editing the script, a red asterisk is displayed next to the name of the script module in the Console tree. This indicates the changes you are making to the script are not saved. You can undo your changes or save them:

  • To undo changes, press CTRL+Z. (The redo function is also available: press CTRL+Y.)

  • To undo all unsaved changes, right-click the script module and click Discard Changes. (This operation is irreversible: if you perform this command, your changes to the script are lost.)

  • To save the changes, right-click the script module and click Save Script on Server.

When the script module is ready, you can proceed to configuring a script policy that will use the prepared script module.

Active Roles allows you to attach a debugger to the Administration Service’s script host for a given policy script or scheduled task script. When the script is being executed by the specified Administration Service, the debugger may help you identify and isolate problems, if any, with the policy or task based on that script.

To enable debugging of a script in the Active Roles Console, display the Properties dialog for the script module containing the script, go to the Debugging tab, and select the Enable debugging check box. From the Debug on server list, select the Administration Service where you want the debugger to run.

Scenario: Restricting group scope

This scenario describes how to configure a policy that prevents creation of universal groups. With this policy, the Active Roles Console orWeb Interface does not allow an administrator to create a new universal group or convert an existing group to a universal group.

To implement this scenario, you must perform the following actions:

  1. Prepare the script that implements this scenario.

  2. Create and configure the Policy Object to run that script.

  3. Apply the Policy Object to a domain, OU, or Managed Unit.

As a result, the Active Roles Console or Web Interface cannot be used to set the universal group scope option when creating a new group or changing an existing group in the container you selected in Step 3. For example, if you choose the Universal option under Group scope and then click Next in the New Object - Group Wizard, the Active Roles Console presents you with an error message stating that creation of universal groups is not allowed.

The following sections elaborate on the steps to implement this scenario.

Preparing the script module

The script used in this scenario is installed with the Active Roles SDK. By default, the path and name of the script file is as follows:

%ProgramFiles%\One Identity\Active Roles\Active Roles\SDK\Samples\RestrictGroupScope\RestrictGroupScope.ps1

The script receives control upon a request to check the property values submitted to the Administration Service, and analyzes the value of the groupType attribute to determine if the universal group scope option is attempted. If the script detects that the assumed groupType value would cause a group to be configured as a universal group, it raises a policy violation event in the Administration Service. As a result, the application that initiated the request (such as the Active Roles Console or Web Interface) displays an error message provided by the script.

To import the script, right-click the Script Modules container in the Active Roles Console, and click Import. Then, select and open the RestrictGroupScope.ps1 file.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级