Chat now with support
Chat mit Support

Active Roles 7.5.3 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling Federated Authentication Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo Appendix H: Active Roles integration with Okta

Pre-defined specifiers

Active Roles comes with a collection of pre-defined specifiers that determine the default resource profile configuration. The pre-defined specifiers are located in the Configuration/Server Configuration/Entitlement Profile Specifiers/Builtin container, and can be administered using the Active Roles console. You can make changes to a pre-defined specifier (see Changing entitlement profile specifiers) or you can apply the Disable command for the specifier to have no effect. Note that pre-defined specifiers cannot be deleted.

The pre-defined specifiers have a lower priority than customer-created specifiers. This means the entitlement rules of customer-created specifiers are evaluated first, so that if a given entitlement target object matches the entitlement rules of both a pre-defined specifier and a customer-created specifier, the latter specifier is applied. The priority of specifiers is governed by the edsaPriority attribute setting (see About entitlement profile build process).

The following table provides information about the pre-defined specifiers. For each specifier, the table lists the specifier’s name, description, entitlement type and rules, and resource display settings.

Table 94: Pre-defined specifiers

Name and Description

Type and Rules

Resource Display Settings

Name:
Self - Exchange Mailbox

Description:
Specifies user entitlement to Exchange mailbox.

Type:
Personal resource entitlement

Rules:
Entitlement target object is an Exchange mailbox enabled user account.

Resource type name:
Exchange Mailbox

Resource naming attribute:
mail

Other resource-related attributes:

  • mail
  • homeMDB
  • displayName

Name:
Self - Home Folder

Description:
Specifies user entitlement to home folder.

Type:
Personal resource entitlement

Rules:
Entitlement target object has the homeDirectory attribute set.

Resource type name:
Home Folder

Resource naming attribute:
homeDirectory

Other resource-related attributes:

  • homeDirectory
  • homeDrive

Name:
Self - Unix Account

Description:
Specifies user entitlement to Unix-enabled account.

Type:
Personal resource entitlement

Rules:
Entitlement target object has the uidNumber attribute set AND has a loginShell attribute value other than /bin/false.

Resource type name:
Unix-enabled Account

Resource naming attribute:
userPrincipalName

Other resource-related attributes:

  • userPrincipalName
  • uidNumber
  • gidNumber
  • unixHomeDirectory
  • loginShell

Name:
Self - OCS Account

Description:
Specifies user entitlement to Office Communications Server enabled account.

Type:
Personal resource entitlement

Rules:
Entitlement target object has the msRTCSIP-UserEnabled attribute set to TRUE.

Resource type name:
Enabled for Office Communications Server

Resource naming attribute:
msRTCSIP-PrimaryUserAddress

Other resource-related attributes:

  • msRTCSIP-PrimaryUserAddress
  • edsva-OCS-Pool

Name:
Membership - Member of Security Group

Description:
Specifies entitlement to a resource via membership in a security group.

Type:
Shared resource entitlement

Rules:
Entitlement target object is a security group.

This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the shared resource entitlement type are evaluated prior to the rules of this specifier.

Resource type name:
Member of Security Group

Resource naming attribute:
name

Other resource-related attributes:

  • name
  • displayName
  • description
  • info
  • edsvaResourceURL
  • managedBy
  • edsvaPublished
  • edsvaApprovalByPrimaryOwnerRequired
  • edsvaParentCanonicalName

Name:
Membership - Access to SharePoint Site

Description:
Specifies entitlement to a SharePoint site via membership in a certain security group.

Type:
Shared resource entitlement

Rules:
Entitlement target object is a security group that has the edsva-SP-MirrorType attribute set.

Resource type name:
Access to SharePoint Site

Resource naming attribute:
name

Other resource-related attributes:

  • name
  • edsva-SP-SiteName
  • edsva-SP-SiteURL
  • managedBy
  • edsvaPublished
  • edsvaApprovalByPrimaryOwnerRequired
  • edsvaParentCanonicalName

Name:
Managed By - Owner of Security Group

Description:
Specifies entitlement to the manager or owner role for a security group.

Type:
Managed resource entitlement

Rules:
Entitlement target object is a security group.

Resource type name:
Owner of Security Group

Resource naming attribute:
name

Other resource-related attributes:

  • name
  • displayName
  • description
  • info
  • edsvaResourceURL
  • managedBy
  • edsvaPublished
  • edsvaApprovalByPrimaryOwnerRequired
  • edsvaParentCanonicalName

Name:
Managed By - Owner of Distribution List

Description:
Specifies entitlement to the manager or owner role for a distribution group.

Type:
Managed resource entitlement

Rules:
Entitlement target object is an Exchange mail enabled (distribution) group.

Resource type name:
Owner of Distribution List

Resource naming attribute:
displayName

Other resource-related attributes:

  • displayName
  • mail
  • description
  • info
  • managedBy
  • edsvaPublished
  • edsvaApprovalByPrimaryOwnerRequired
  • edsvaParentCanonicalName

Name:
Managed By - Owner of Resource Exchange Mailbox

Description:
Specifies entitlement to the owner role for a room, equipment, or shared mailbox.

Type:
Managed resource entitlement

Rules:
Entitlement target object is a user account associated with a room, equipment or shared mailbox.

Resource type name:
Owner of Resource Exchange Mailbox

Resource naming attribute:
displayName

Other resource-related attributes:

  • displayName
  • edsva-MsExch-MailboxTypeDescription
  • mail
  • description
  • homeMDB
  • edsvaParentCanonicalName

Name:
Managed By - Owner of Exchange Contact

Description:
Specifies entitlement to the owner role for an Exchange mail contact.

Type:
Managed resource entitlement

Rules:
Entitlement target object is an Exchange mail contact.

Resource type name:
Owner of Exchange Contact

Resource naming attribute:
displayName

Other resource-related attributes:

  • displayName
  • givenName
  • sn
  • mail
  • telephoneNumber
  • company
  • edsvaParentCanonicalName

Name:
Managed By - Owner of Computer

Description:
Specifies entitlement to the manager or owner role for a computer.

Type:
Managed resource entitlement

Rules:
Entitlement target object is a computer account.

Resource type name:
Owner of Computer

Resource naming attribute:
name

Other resource-related attributes:

  • name
  • dNSHostName
  • description
  • operatingSystem
  • edsvaParentCanonicalName

Name:
Managed By - Default

Description:
Default specifier for entitlement to the manager or owner role.

Type:
Managed resource entitlement

Rules:
No rules specified, which means that any object is regarded as matching the entitlement rules of this specifier.

This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the managed resource entitlement type are evaluated prior to the rules of this specifier.

Resource type name:
Owner of <target object class display name>

Resource naming attribute:
name

Other resource-related attributes:

  • name
  • description
  • edsvaParentCanonicalName

Viewing entitlement profile

A user’s entitlement profile can be accessed from the Active Roles console or Web Interface, allowing you to quickly examine resources to which the user is entitled:

  • In the console, right-click the user and click Entitlement Profile. Alternatively, click the Entitlement Profile button on the Managed Resources tab in the Properties dialog box for the user account.
  • In the Web Interface, click the user, and then choose Entitlement Profile from the list of commands.

This opens the Entitlement Profile page that lists the user’s resources grouped in expandable blocks by resource type. Each block may be a section that represents a single resource, or it may comprise a number of sections each of which represents a single resource. The grouping of sections occurs for resources of the same type. For example, the security groups in which the user has membership may be grouped together in a single block, with each group being represented by a separate section.

Initially, each block or section displays only a heading that includes the following items:

  • Resource icon  Graphics that helps distinguish the type of the resource.
  • Resource type  Text string that identifies the type of the resource.
  • Resource name  Text string that identifies the name of the resource, or indicates that the block comprises multiple resource-specific sections.

To view resource details, click the heading of a block or section.

Out of the box, Active Roles is configured so that a user’s entitlement profile displays the user’s entitlements to the resources listed in the table that follows. Active Roles administrators can configure the entitlement profile to display information about additional resources. If a user is not entitled to any resources of a particular type, then the user’s entitlement profile does not contain the sections specific to that resource type. For example, if a user does not have an Exchange mailbox, then the user’s entitlement profile does not contain information about the user’s mailbox.

Table 95: User resources

Resource Type

Resource Name

Resource Details

Exchange Mailbox

E-mail address of mailbox

  • E-mail address
  • Mailbox store or database location
  • Mailbox user’s display name

Home Folder

Path and name of home folder

  • Path and name of home folder
  • Drive letter assigned to home folder

Unix-enabled Account

User principal name

  • User principal name
  • Unix user ID (UID)
  • Unix primary group ID (GID)
  • Unix home directory
  • Unix login shell

Enabled for Office Communications Server

Live communications address

  • Live communications address
  • Office Communications server or pool

Member of Security Group

Group name

  • Group name
  • Group display name
  • Group description
  • Group notes
  • Resource address (URL)
  • Group’s "Managed By" setting
  • Group’s "Is Published" setting
  • Group’s "Approval by Primary Owner Required" setting
  • Group location ("In Folder" setting)

Access to SharePoint Site

Group name

  • Group name
  • SharePoint site name
  • SharePoint site address (URL)
  • Group’s "Managed By" setting
  • Group’s "Is Published" setting
  • Group’s "Approval by Primary Owner Required" setting
  • Group location (group’s "In Folder" setting)

Owner of Security Group

Group name

  • Group name
  • Group display name
  • Group description
  • Group notes
  • Resource address (URL)
  • Group’s "Managed By" setting
  • Group’s "Is Published" setting
  • Group’s "Approval by Primary Owner Required" setting
  • Group location ("In Folder" setting)

Owner of Distribution List

Group display name

  • Group display name
  • Group e-mail address
  • Group description
  • Group notes
  • Group’s "Managed By" setting
  • Group’s "Is Published" setting
  • Group’s "Approval by Primary Owner Required" setting
  • Group location ("In Folder" setting)

Owner of Resource Exchange Mailbox

Mailbox display name

  • Mailbox display name
  • Mailbox type
  • E-mail address
  • Mailbox store or database location
  • Mailbox description
  • Mailbox location ("In Folder" setting)

Owner of Exchange Contact

Contact display name

  • Display name
  • First name
  • Last name
  • E-mail address
  • Telephone number
  • Company
  • Location ("In Folder" setting)

Owner of Computer

Computer name

  • Computer name
  • Computer DNS name
  • Computer description
  • Operating system
  • Location ("In Folder" setting)

Owner of Resource (default)

Managed object’s name

  • Managed object’s name
  • Managed object’s description
  • Managed object’s location ("In Folder" setting)

Authorizing access to entitlement profile

By default, permission to view the entitlement profile is given to Active Roles Admin, the administrative account or group specified during Active Roles installation. Other users or groups can also be permitted to view the entitlement profile. A dedicated Access Template is provided for this purpose so that you can allow the use of the Entitlement Profile command by designated users or user groups.

To permit particular users or groups to view the entitlement profile of the users held in a certain container, such as an organizational unit or a Managed Unit, apply the Access Template as follows.

To authorize access to the entitlement profile

  1. In the Active Roles console, right-click the container and click Delegate Control to display the Active Roles Security window.
  2. In the Active Roles Security window, click Add to start the Delegation of Control wizard.
  3. In the wizard, click Next.
  4. On the Users or Groups page, click Add, and then select the desired users or groups.
  5. Click Next.
  6. On the Access Templates page, expand the Active Directory | Advanced folder, and then select the check box next to Users - View Entitlement Profile (Extended Right).
  7. Click Next and follow the instructions in the wizard, accepting the default settings.

After you complete these steps, the users and groups you selected in Step 4 are authorized to view the entitlement profile of the users held in the container you selected in Step 1, as well as in any sub-container of that container.

 

Recycle Bin

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen