-
Titre
HOW TO: Hide an Active Roles Administration Service instance -
Description
There may be a scenario where an Active Roles instance must be hidden from clients.
One example is a dedicated job server that performs resource-intensive tasks. In this scenario, it would be required to block clients from connecting to this instance of Active Roles.
-
Cause
Active Roles clients find Service Connection Point objects which are created by the Active Roles Service in each managed Domain under the System/Aelita/Enterprise Directory Manager container. Each service periodically updates its own connection object, so deleting these connection objects will only temporarily hide the associated service instance.
Enhancement Request ID#: 298079 has been created to include this feature within Active Roles.
-
Résolution
WORKAROUND 1
Service Connection Points (SCPs) are created under the security context of the Active Roles service account. Denying the service account permission to create a service connection point in the native Active Directory will effectively hide the service from the Connect To dialog in the Active Roles Console, but it will not prevent clients from connecting to the service if they type in the server name manually.
In Active Directory Users and Computers or another native tool, set a deny permission for the Active Roles service account on the ability to create child serviceConnectionPoint objects within the System/Aelita/Enterprise Directory Manager container in every managed domain.WORKAROUND 2
To hide all service connection points from all Active Roles instances, set the edsaPublishEdmService attribute on a Managed Domain to FALSE to prevent the publication of all service points to that domain.
- In the Active Roles, Console expand Configuration/Server Configuration/Managed Domains
- Right-click on the desired domain and choose All Tasks | Advanced Properties
- Find edsaPublishEdmService and set it to a value of FALSE
- Save the change
WORKAROUND 3
Manually deny access to domain users (or group of users) to the specific Active Roles instance Service Connection Point.
STATUS
The product team will evaluate the request and this feature may become available on a future release of the product.
Please refer to this article for updates or contact support referencing the Enhancement Request ID: 298079.
-
Demande de changement
298079 -
Informations supplémentaires
There are no guarantees that this specific enhancement request will be implemented in a future release. For more information regarding our Enhancement Request policy, refer to our Global Support Guide on the Support Portal at: Guide to One Identity Support.