Chat now with support
Chat mit Support

Identity Manager 8.1.5 - Administration Guide for Active Roles Integration

Interaction with Active Roles workflows

In the default configuration of processes and synchronization behavior, the integrated Active Roles connector works without input from Active Roles workflows. Changes are published immediately in Active Directory. An administrative user account. which is member in the Active Roles group is required for default behavior.

The One Identity Manager connector integrated in Active Roles does, however, allow Active Roles workflows to be controlled. That means, every operation in the Active Roles that is linked to a workflow starts that workflow.

You may have to customize processes so that they wait for the execution of workflows and therefore also the execution of changes in Active Roles if the Active Directory connector is supposed to trigger workflows. This is necessary because the One Identity Manager processes defined in the Active Directory are executed synchronously. The Active Roles connector is provided with additional functions to support you when querying the status of workflows.

The domain configuration and One Identity Manager Service user account permissions determine whether workflows are triggered.

NOTE: If the One Identity Manager Service's user account is a member in the Active Roles administrators group, workflows are always bypassed irrespective of the option setting.

For more information about Active Roles workflows, refer to your One Identity Active Roles documentation.

The following table show the correlation.

Table 4: Correlation to Active Roles workflow control
User Account Member of the Active Roles Administrators? Option <Execute Active Roles workflows> Set? Operation Linked with Active Roles Workflows? Result
Yes Yes No The operation is executed immediately.
Yes No No The operation is executed immediately.
Yes Yes Yes The operation is executed immediately without input from workflows.
Yes No Yes The operation is executed immediately without input from workflows.
No Yes No The operation is executed immediately.
No No No The operation is executed immediately.
No Yes Yes The Operation triggers workflows and depends on the final status.
No No Yes The operation is aborted with an error message.
Related topics

Extensions for applying Active Roles workflows

NOTE: One Identity Manager sets up the domains in the Synchronization Editor database.

To edit master data for an Active Directory domain

  1. Select the Active Directory | Domains category.
  2. Select the domain in the result list and run the Change master data task.

  3. Enter the following data for utilizing workflows on the Active Roles tab.

    Table 5: Extended properties for applying Active Roles workflows
    Property Description

    Execute Active Roles workflows

    Specifies whether Active Roles workflows should be executed. For more information about Active Roles workflows, refer to your One Identity Active Roles documentation.

    If this option is set, Active Roles workflows can be controlled by the integrated Active Roles connector. You may need to define custom processes in One Identity Manager to use this functionality.

    If this option is not set, One Identity Manager works without input from Active Roles workflows (default configuration). Default behavior requires an administrative account.

    NOTE: If the One Identity Manager Service user account is a member in the Active Roles administrators group, Active Roles workflows are always bypassed independent of the option.

    User accounts deleted by Active Roles workflows

    Specifies whether user accounts above deprovisioning workflows are deleted in Active Roles.

    Groups deleted by Active Roles workflows

    Specifies whether groups are deleted in Active Roles through deprovisioning workflows.

  4. Save the changes.
Related topics

Operation ID and status

The ID found by the Active Directory connector is returned in the "LastOperationID" output parameter of each change operation in Active Roles. The operation status passed from Active Roles is returned in the "LastOperationStatus" parameter. If no workflow is triggered and the operation is successful, the status "Completed" is returned. If a workflow is triggered, then the status "Pending" is returned. You can use these task parameters in follow-up processes to wait for the workflows to be executed.

Additional virtual properties in the schema

The Active Roles schema is provided with additional virtual properties for querying the current status of workflows.

NOTE:Virtual properties do not require any extension to the Active Directory schema. Active Roles behaves as though these properties really exist.

These virtual properties are defined as "read-only" and exist for all objects but are not mapped in the default project template. To use this functionality, you must adapt the custom mapping.

When the properties are read, the Active Roles connector executes an "OperationSearchRequest" call to Active Roles. To limit the impact on performance, the result of the queries is held for 30 seconds in cache.

Table 6: Virtual properties for the Active Roles connector
Property Description
vrtLastOperationID ID of the last operation in Active Roles.
vrtLastOperationStatus ID of the last operation in Active Roles. Possible statuses are "Unknown", "Pending", "Completed", "Rejected", "Failed", and "Canceled".

For more information see your One Identity Active Roles documentation.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen