立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - Administration Guide for Active Roles Integration

One Identity Active Roles integration Synchronizing Active Directory using One Identity Active Roles Interaction with Active Roles workflows Interaction with Active Roles policies Managing Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for One Identity Active Roles Active Roles connector settings

Interaction with Active Roles workflows

In the default configuration of processes and synchronization behavior, the integrated Active Roles connector works without input from Active Roles workflows. Changes are published immediately in Active Directory. An administrative user account. which is member in the Active Roles group is required for default behavior.

The One Identity Manager connector integrated in Active Roles does, however, allow Active Roles workflows to be controlled. That means, every operation in the Active Roles that is linked to a workflow starts that workflow.

If the Active Roles connector is supposed to trigger workflows, you may have to customize processes so that they wait for the workflows to run and the changes to be made in Active Directory. This is necessary because the One Identity Manager processes defined in the Active Directory are run synchronously. The Active Roles connector is provided with additional functions to support you when querying the status of workflows.

The domain configuration and One Identity Manager Service user account permissions determine whether workflows are triggered.

NOTE: If the One Identity Manager Service's user account is a member in the Active Roles administrators group, workflows are always bypassed irrespective of the option setting.

For more information about Active Roles workflows, see your One Identity Active Roles documentation.

The following table show the correlation.

Table 5: Correlation to Active Roles workflow control
User Account Member of the Active Roles Administrators? Option "Run Active Roles workflows" set? Operation Linked with Active Roles Workflows? Result

Yes

Yes

No

The operation is run immediately.

Yes

No

No

The operation is run immediately.

Yes

Yes

Yes

The operation is run immediately without input from workflows.

Yes

No

Yes

The operation is run immediately without input from workflows.

No

Yes

No

The operation is run immediately.

No

No

No

The operation is run immediately.

No

Yes

Yes

The Operation triggers workflows and depends on the final status.

No

No

Yes

The operation quits with an error message.

Related topics

Extensions for applying Active Roles workflows

NOTE: One Identity Manager sets up the domains in the Synchronization Editor database.

To edit main data of an Active Directory domain

  1. In the Manager, select the Active Directory > Domains category.

  2. Select the domain in the result list and run the Change main data task.

  3. On the Active Roles tab, enter the following data for utilizing workflows.

    Table 6: Extended properties for applying Active Roles workflows
    Property Description

    Run Active Roles workflows

    Specifies whether to run Active Roles workflows. For more information about Active Roles workflows, see your One Identity Active Roles documentation.

    If this option is set, Active Roles workflows can be controlled by the integrated Active Roles connector. You may need to define custom processes in One Identity Manager to use this functionality.

    If this option is not set, One Identity Manager works without input from Active Roles workflows (default configuration). Default behavior requires an administrative account.

    NOTE: If the One Identity Manager Service user account is a member in the Active Roles administrators group, Active Roles workflows are always bypassed independent of the option.

    User accounts deleted by Active Roles workflows

    Specifies whether user accounts are deleted in Active Roles through deprovisioning workflows.

    Groups deleted by Active Roles workflows

    Specifies whether groups are deleted in Active Roles through deprovisioning workflows.

  4. Save the changes.
Related topics

Operation ID and status

The ID found by the Active Roles connector is returned in the LastOperationID output parameter of each change operation in Active Directory. The operation status passed from Active Roles is returned in the LastOperationStatus parameter. If no workflow is triggered and the operation is successful, the status Completed is returned. If a workflow is triggered, then the status Pending is returned. You can use these task parameters in follow-up processes to wait for the workflows to be run.

Additional virtual properties in the schema

The Active Roles schema is provided with additional virtual properties for querying the current status of workflows.

NOTE:Virtual properties do not require any extension to the Active Directory schema. Active Roles behaves as though these properties really exist.

These virtual properties are defined as read-only and exist for all objects but are not mapped in the default project template. To use this functionality, you must adapt the custom mapping.

When the properties are read, the Active Roles connector runs an OperationSearchRequest call to Active Roles. To limit the impact on performance, the result of the queries is held for 30 seconds in cache.

Table 7: Virtual properties for the Active Roles connector
Property Description

vrtLastOperationID

ID of the last operation in Active Roles.

vrtLastOperationStatus

Status of the last operation in Active Roles. Possible statuses are Unknown, Pending, Completed, Rejected, Failed, and Canceled.

For more information, see your One Identity Active Roles documentation.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级