Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager 8.2 - Administration Guide for Active Roles Integration

One Identity Active Roles integration Synchronizing Active Directory using One Identity Active Roles Interaction with Active Roles workflows Interaction with Active Roles policies Managing Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for One Identity Active Roles Active Roles connector settings

Managing Active Directory objects

You can set up organizational units in a hierarchical container structure in One Identity Manager. Organizational units (divisions or departments) are used to logically organize Active Directory objects like user accounts and groups, thus simplifying administration.

NOTE: In the following, you are provided with details about the special features of managing Active Directory objects using Active Roles. For more information about managing Active Directory with One Identity Manager, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Detailed information about this topic

Adding Active Directory groups automatically to the IT Shop

In the One Identity Manager Active Directory Edition there is direct support for transferring Active Roles Self-Service Manager functionality to the One Identity Manager IT Shop.

If you are using the One Identity Manager Edition, run the following steps before initial synchronization.

To add groups automatically to the IT Shop

  1. In the Designer, set the QER | ITShop | GroupAutoPublish configuration parameter.

  2. In the Designer, set the QER | ITShop | GroupAutoPublish | ADSGroupExcludeList configuration parameter and specify the Active Directory groups that are not to be added automatically to the IT Shop.

    Example:

    .*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

  3. In the Designer, set the TargetSystem | ADS | ARS_SSM configuration parameter

  4. Compile the database.

The groups are added automatically to the IT Shop from now on.

  • Synchronization ensures that the groups are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor.

  • New groups created in One Identity Manager are added to the IT Shop.

The following steps are run to add a group to the IT Shop.

  1. A service item is determined for the group.

    The service item is tested and modified for each group as required. The service item name corresponds to the name of the group. The service item is assigned to one of the default service categories.

    • The service item is modified for groups with service items.

    • Groups without service items are allocated new service items.

    • The service item is enabled or disabled depending on whether the group is published in Active Roles Self-Service Manager.

  2. An application role for product owners is determined and the service item is assigned. Product owners can approve requests for membership in these groups. By default, the group's account manager is established as product owner.

    NOTE: The application role for the product owner must be added under the Request & Fulfillment | IT Shop | Product owner application role.
    • If the account manager of the group is already a member of an application role for product owners, this application role is assigned to the service item. Therefore, all members of this application role become product owners of the group.

    • If the account manager of the group is not yet a member of an application role for product owners, a new application role is created. The name of the application corresponds to the name of the account manager.

      • If the account manager is a user account or a contact, the user account's employee or the contact's employee is added to the application role.

      • If it is a group of account managers, the employees of all this group's user accounts are added to the application role.

    • If the group does not have an account manager, the Request & Fulfillment | IT Shop | Product owner | Without owner in AD default application role is used.

  3. The group is labeled with the IT Shop option and assigned to the Active Directory groups IT Shop shelf in the Identity & Access Lifecycle shop.

Then the shop customers can request group memberships through the Web Portal.

NOTE: When a One Identity Manager group is irrevocably deleted from the database, the associated service item is also deleted.

Related topics

Requesting Active Directory groups through the Web Portal

NOTE: If you request group membership, Approval of Active Directory group membership requests in the default installation.

To request a new Active Directory group

  • In the Web Portal, in the Service catalog > Requests menu, select the service category Active Directory groups.

  • Request the Active Directory group using the New Active Directory distribution list or the New Active Directory security group product.

The following steps are automatically run when you request a new Active Directory groups:

  • An entry is created for the Active Directory group in One Identity Manager.

  • The Active Directory group is labeled with the Group is published to Self-Service Manager option.

  • The Active Directory group is labeled with the IT Shop option.

  • The associated service item is created. A new application role is set up with the requester as member. The application role is entered as product owner in the service item.

    Through this procedure, the Active Directory group requester has approval permissions for requesting memberships in this Active Directory group.

  • The Active Directory group is assigned to the shelf Active Directory groups in the Identity & Access Lifecycle default shop.

Active Directory group membership can then be requested by customers of this shop through the Web Portal.

NOTE: If an Active Directory group is permanently deleted from the One Identity Manager database, the associated service item is also deleted.

Related topics

Active Roles specific extensions for Active Directory groups

To display Active Roles group data ascertained from Active Directory

  1. In the Manager, select the Active Directory > Groups category.

  2. Select the group in the result list.

  3. Select the Change main data task.

  4. Select the Active Roles tab.

The following properties are displayed:

Table 8: Active Roles specific properties of an Active Directory group
Property Description

Group is published to Self-Service Manager

If an Active Directory group is published, the Active Directory group can be requested in the Web Portal immediately after successful synchronization. The data is loaded from Active Roles on synchronization. This information is published when an Active Directory group is added through the Web Portal in order to start other workflows in Active Roles if necessary.

Approval by the group owner

Specifies whether the Active Directory group owner (account manager) must approve group membership. The information affects the approval workflow in the IT Shop.

Approval by a additional owner of the group

Specifies whether the additional Active Directory group owner must approve group membership. The information affects the approval workflow in the IT Shop.

Dynamic group

Specifies whether members in this group are determined dynamically in Active Roles. You are not allowed to make manual changes to a dynamic group.

Additional owners

List of additional owners Active Directory groups or Active Directory user accounts are permitted.

Deprovisioning status

Status of deprovisioning sequence through Active Roles when an object is deleted. The data is loaded from Active Roles on synchronization.

  • No deprovisioning: The Active Directory object is active.

  • Deprovisioning successful: The Active Directory object was successfully deprovisioned.

  • Deprovisioning failed: An error occurred while deprovisioning the Active Directory object.

Deprovisioning date

Status of deprovisioning sequence through an Active Roles when a object is deleted. The information is loaded from the Active Roles during synchronization.

Related topics
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation