Assuming default security settings, the Domain Admins rights are sufficient to install the solution.
Assuming default security settings, the Domain Admins rights are sufficient to install the solution.
To use this solution, you must have the necessary security permissions. It is sufficient to be a member of the Active Roles Admin account, in both the source and destination environments. The Active Roles Admin account is specified during installation of the Administration Service and defaults to the Administrators group on the computer running the Administration Service.
IMPORTANT: Before transferring the Active Roles configuration data, ensure that the Active Directory Organizational Unit (OU) structure in the destination environment is identical to the OU structure in the source environment.
These are the general steps required to transfer Active Roles configuration data by using this solution:
|
NOTE: If an object to deploy already exists in the target configuration, then the properties of the object are updated during the deployment process. |
To perform these steps, you can use either the Configuration Collection Wizard and Configuration Deployment Wizard, or the ARSconfig command-line tool. Both methods have the same effect and can be used interchangeably, depending on your requirements.
The solution cannot be used to transfer configuration objects of the following categories:
If you need to roll back the changes made to the configuration of the target Active Roles instance, during the package deployment, you can do this by using the command-line tool included with the solution. For step-by-step instructions, see Scenario: Rolling back the configuration changes later in this document.
When collecting Access Templates and Policy Objects, the solution analyzes their links and writes the links to the destination package. Every link record includes information about the directory object and, if applicable, the trustee to which the respective Access Template or Policy Object is applied. In the configuration package file, this information normally takes the form of the distinguished name (DN), whereas in the Active Roles environment the links refer to the objects by security identifier (SID) or globally unique identifier (GUID). The solution needs DN rather than SID or GUID to identify an object as in a different environment, the object SID or GUID differs from that in the original environment. By identifying the link reference objects by DN, the solution enables the delegation and policy settings to be properly transferred from the source environment to the destination environment.
To have the link records identify the link reference objects by DN, the solution has to look up object SID or GUID to object DN. If this process fails for a given link, the link record is created that identifies the link reference object by SID or GUID. Such a record is referred to as dangling link.
If any dangling links have been recorded to the destination package, the solution informs of this condition. Deploying a package that contains dangling links may create links in the destination environment that refer to non-existent objects. As a result, some delegation and policy settings configured by deploying the package may not match the settings found in the source environment from which the package was collected.
The ARSconfig tool provides the danglingLinks parameter that allows you to specify how you want the deployment process to handle dangling links. For more information, see Using the ARSconfig command-line tool later in this document.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center