The Active Roles Administration Guide provides detailed information about how to configure and maintain an installed Active Roles deployment for day-to-day administrative operations.
The document describes how to:
-
Configure rule-based and role-based administration settings.
-
Configure automatic resource provisioning and deprovisioning.
-
Set up automation and approval workflows for administrators or helpdesk personnel.
-
Manage groups via temporal group memberships, group families or dynamic groups.
-
Configure and monitor Active Roles reporting and Management History settings.
-
Configure entitlement profiles to give access to specific information resources.
-
Use the Active Directory Recycle Bin with Active Roles.
-
Integrate Active Roles with One Identity Starling.
-
Configure linked and remote Exchange mailboxes.
-
Register Azure AD tenants with Active Roles to manage Azure AD objects and resources.
-
Configure SQL Server replication.
-
Use Administrative Templates to set the behavior and appearance of the Active Roles Console with Group Policies.
-
Integrate Active Roles with other One Identity, Quest or third-party products and services.
-
Use optional utilities (the Configuration Transfer Wizard, Diagnostic Tools, Add-on Manager or the Active Roles Language Pack) to enhance and maintain your Active Roles deployment.
NOTE: For information about how to perform day-to-day administrative tasks, see the following documents:
-
For information about how to administer Active Directory resources in the Active Roles Console, see the Active Roles Console User Guide.
-
For information about how to administer Active Directory and Azure AD resources with the Active Roles Web Interface, see the Active Roles Web Interface User Guide.
In addition, for information about how to configure and customize the Active Roles Web Interface component, see the Active Roles Web Interface Configuration Guide.
Getting started with Active Roles
This section describes how to start using Active Roles to prepare it for day-to-day administration operations.
NOTE: The Active Roles Administration Guide only describes product configuration procedures. For the in-depth description of its features and user interfaces, see the following documents:
-
For more information on the product features, see the Active Roles Feature Guide.
-
For more information on the Active Roles Console and the day-to-day operations you can perform with it, see the Active Roles Console User Guide.
-
For more information on the Active Roles Web Interface and the day-to-day operations you can perform with it, see the Active Roles Web Interface User Guide.
-
For more information on customizing and configuring the Web Interface and its sites, see the Active Roles Web Interface Configuration Guide.
The Active Roles Console, also referred to as MMC Interface, is a comprehensive administrative tool that you can use to:
-
Manage Active Directory and Microsoft Exchange resources.
-
Configure organization-level access and administration policies.
-
Set up automation or approval workflows for your administrators or helpdesk personnel.
To start the Active Roles Console
-
Log in to the system where Active RolesConsole is installed.
-
Depending on the version of your operating system:
-
In the Apps page, click Active Roles 8.2.1 Console.
-
From the Start menu, select All Programs > One Identity Active Roles 8.2.1 > Active Roles 8.2.1 Console.
NOTE: By default, the Active Roles Console automatically chooses an Administration Service instance and establishes a connection. If the Console cannot connect to the Administration Service or you want to manually select the Administration Service, see Connecting to the Administration Service.
By default, after installing Active Roles, every user can log in to the Active Roles Console. You can allow or restrict access either for all users or to users you specify.
Allowing or restricting access to the Active Roles Console for all users
Use the MMC Interface Access setting of the Active Roles Configuration Center. This setting lets you restrict Console access only to Active Roles Admin users (or allow Console access again for all users, if the access is restricted).
To allow or restrict access to the Active Roles Console for all users
-
On the Configuration Center Dashboard page, in the MMC Interface Access area, click Manage Settings.
-
On the MMC Interface Access page that opens, in the Settings area, click Component, then click Modify or double-click the Component item.
-
On the MMC Interface Access wizard that appears, select one of the following options:
-
Allow Console (MMC Interface) access for all users: Enables the user to log in to Active Roles Console.
-
Restrict Console (MMC Interface) access for all users: Restricts all non-Active Roles Admin users from using the Console. This affects all delegated users, but does not apply to Active Roles Admin users.
-
Click OK.
Active Roles then configures the Console access settings successfully. When ready, a message appears prompting you to restart the Administration Service and disconnect all Console user sessions, so that the updated settings can be validated.
Allowing access to the Active Roles Console for selected users
If Console access is already restricted to Active Roles Admin users, you can give Console access to individual users by assigning them to the User Interface Management - MMC Full control Access Template (AT). This AT gives access permission to the Server Configuration > User Interfaces > MMC Interface object.
To allow access to Active Roles Console for selected users
-
In the Console tree, expand Active Roles > Configuration > Server Configuration.
-
Under Server Configuration, locate the User Interfaces container, right-click it, and click Delegate Control.
-
On the Users or Groups page, click Add, then select the users or groups to which you want to delegate the control. Click Next.
-
On the Access Templates page, expand the Active Directory > User Interfaces folder, and select the check box next to User Interface Management-MMC Full control.
-
Click Next and follow the instructions in the wizard, accepting the default settings.
-
After you complete these steps, the users and groups you selected in Step 3 are authorized to log in to the Active Roles Console.
-
Click OK to close the Active Roles Security dialog.