You can export Policy Objects to an XML file using Active Roles Console, then import the exported Policy Objects to another instance of Active Roles. The export and import operations provide a way to move Policy Objects from a test environment to a production environment.
NOTE: When you export and import Policy Objects, Active Roles only transfers the configured list of policies. The Policy Object links are not included in the export-import operation. You must reconfigure them manually after completing the transfer.
To export and import a Policy Object
-
In the Console tree, navigate to Configuration > Policies > Administration.
-
Select the folder that contains the Policy Object that you want to export.
-
In the details pane, right-click the Policy Object, then click All Tasks > Export.
-
In the Export Objects dialog, navigate to the folder where you want to save the file, and click Save.
-
In the destination Active Roles Console instance, under the Console tree, right-click the directory object where you want to import the Policy Object, then click Import.
-
In the Import Directory Objects dialog, select the file where you exported Policy Object, then click Open.
You can delete Policy Objects using Active Roles Console.
NOTE: You can only delete or rename Policy Objects that you have created. Built-in Policy Objects can only be copied or exported.
To delete a Policy Object
-
In the Console tree, navigate to Configuration > Policies > Administration.
-
Select the folder that contains the Policy Object that you want to delete.
-
In the details pane, right-click the Policy Object, then click Delete.
NOTE: Once a Policy Object is applied within Active Roles, the Policy Object cannot be deleted. If you want to remove the Policy Object, first remove all items from the list in the Active Roles Policy Scope dialog.
For more information on removing items from the policy scope, see Removing Policy Object links.
Checking for policy compliance provides information on directory data that does not comply with the policies—such as user or group naming conventions—defined with Active Roles. If you define some policies when data has already been entered, you can check the data and modify it accordingly to ensure that the data meets the policy requirements.
For more information about this feature, see Policy compliance checks in the Active Roles Administration Guide.
To check an object for policy compliance
-
Right-click the object, and click Check Policy.
-
If the object is a container or Managed Unit, select the appropriate combination of these check boxes to specify the scope of the operation:
-
This directory object: The scope includes the container or Managed Unit you have selected (this option does not cause the scope to include any child objects or members of the container or Managed Unit).
-
Child objects of this directory object: The scope includes all the child objects (or members, as applied to a Managed Unit) in the entire hierarchy under the container or Managed Unit you have selected.
-
Immediate child objects only: The scope includes only the child objects (or members, as applied to a Managed Unit) of which the container or Managed Unit that you have selected is the direct ancestor.
Click OK.
The progress and results of the policy check operation are displayed in the Policy Check Results window. The left pane of the window lists the objects for which a policy violation has been detected.
-
Click an object in the left pane of the Policy Check Results window.
When you click an object in the left pane, the right pane describes the policy violation in detail. By default, the right pane in the Policy Check Results window only displays basic options. You can display more choices by clicking the Details column heading.
-
Use hypertext links in the right pane to perform the following tasks:
-
Modify the property value violating the policy. To do so, click the edit link next to the Property value label.
-
Remove the object from the policy scope: Click the block policy inheritance link next to the Policy Object label. If you do so, the policy no longer controls the object.
-
Modify the policy by clicking the properties link next to the Policy Object label. This displays the Properties dialog for the Policy Object. For instructions on how to add, modify, or remove policies in the Properties dialog, see Adding policies to a Policy Object, Modifying policies in a Policy Object, and Removing policies from a Policy Object.
-
View or modify the properties of the object that violates the policy. To do so, click Properties in the upper-right corner of the right pane.
-
View or modify the properties of the object to which the Policy Object is applied (linked). To do so, click the properties link next to the Applied to label.
NOTE: The Check Policy command on a Policy Object performs a check on all the objects found in the policy scope of the Policy Object. Use the Check Policy command on a Policy Object to find all objects that are not in compliance with the policies defined by that Policy Object.
To see how checking for policy compliance works in the Active Roles Console
-
Create and configure a Policy Object with the property validation and generation policy for the Department property of user objects, specifying the policy rule as follows: Value must be specified and must be Sales or Production.
-
Apply (link) that Policy Object to an Organizational Unit that already holds some user objects with no department specified.
-
Right-click the Organizational Unit and click Check Policy. In the Check Policy dialog, click OK.
Once you have performed these steps, the Policy Check Results window is displayed. Its left pane lists objects violating the policy.
-
Wait while the list in the left pane is being populated. Then, select a user object from the list.
The right pane, next to the Violation label, displays the prompt You must specify a value for the property ‘department’.
-
In the right pane, click the edit link next to the Property value label.
-
In the Properties dialog, select one of the acceptable values (Production or Sales) from the Department combo-box.
The Active Roles user interfaces, both Active Roles Console and Web Interface, provide the Deprovision command on user and group objects. This command initiates a request to deprovision the selected objects. When processing the request, Active Roles performs all operations that are set via the configured deprovisioning Policy Objects.