Management of the Policy Object scope
When applying a Policy Object to a directory object, Active Roles creates a Policy Object link.
Link Policy Objects to enforce business rules on different types of directory objects in the Active Roles Console. These objects are the following:
-
Administrative views (Active Roles Managed Units).
-
Active Directory containers (Organizational Units).
-
Individual (leaf) directory objects, such as user or group objects.
Each Policy Object link includes the following information:
-
The Policy Object that defines the policy.
-
The directory object that is the target of the link.
-
An Include or Exclude flag that specifies whether the directory object is included or excluded from the policy scope.
When you display a list of Policy Object links for a directory object, the list appears in a separate window. Each entry in the list includes the following information:
-
Policy Object: Name of the Policy Object.
-
Directory Object: Canonical name of the object to which the Policy Object is linked, that is, the target object of the link.
-
Include/Exclude: Flag that determines the behavior of the link:
-
Include Explicitly means the link puts the target object within the policy scope, that is, the policies defined in the Policy Object control the target object.
-
Exclude Explicitly means the link puts the target object out of the policy scope, that is, the policies defined in the Policy Object do not control the target object.
The Exclude flag takes precedence over the Include flag. If there are two links with the same Policy Object, one of which is flagged Include while another one is flagged Exclude, the object is effectively excluded from the policy scope of the Policy Object.
The list of Policy Object links displays the links of these categories:
-
Direct links: The Policy Object is linked directly to the object that you have selected.
-
Inherited links: The Policy Object is linked to a parent container or Managed Unit of the object that you selected.
From the list, you can filter out the links that are inherited from parent objects. To do this, clear Show inherited.
TIP: The Remove button is only available on direct links. If you delete links, manage them by using the Policy Scope command on the Policy Object.
To simplify the management of policy effect on directory objects, the Active Roles Console allows you to manage policy scope without directly managing links to Policy Objects. For a directory object, you can view and modify its policy list, that is a list of Policy Objects that control (affect) the directory object, instead of having to sort through direct and inherited links.
Each entry in the policy list includes the following information:
-
Policy Object: The name of the Policy Object. The Policy Object controls this directory object due to a direct link or inherited links.
-
Block Inheritance: Indicates whether the effect of the policy is blocked on this directory object.
You can also access the policy list from the advanced details pane. When you select a directory object, the list is displayed on the Active Roles Policy tab.
On the Active Roles Policy tab, you can perform the same management tasks as in the Active Roles Policy window. Right-click a list entry or a blank area and use commands on the shortcut menu. The commands act in the same way as the buttons in the Active Roles Policy window.
Given a Policy Object, you can also manage its policy scope by using a list of directory objects to which the Policy Object is applied (linked). The list can be displayed in a separate window or on a tab in the Advanced Details Pane:
-
To display the list in a window, right-click the Policy Object and click Policy Scope.
-
To display the list on a tab, ensure that Advanced Details Pane is selected on the View menu and select the Policy Object.
For more information on configuring Policy Object scopes, see .
Policy compliance checks
Checking for policy compliance provides information on directory data that does not comply with the policies—such as user or group naming conventions—defined with Active Roles. If you define some policies when data has already been entered, you can check the data and modify it accordingly to ensure that the data meets the policy requirements.
Although business rules and policies normally cannot be bypassed once they have been configured, there are situations where the actual directory data may violate some of the prescribed policies or business rules. For example, when applying a new policy, Active Roles does not automatically verify the existing directory data in order to determine whether that data conforms to the new policy. Another example is a process that automatically creates new objects, such as user or group objects, by directly accessing Active Directory without the use of Active Roles.
The Active Roles Report Pack includes a number of reports that help detect policy violations in directory data by collecting and analyzing information on the state of directory objects as against the prescribed policies. However, as retrieving such information may take much time and effort, the reports on policy compliance sometimes do not allow policy-related issues to be resolved in a timely fashion.
In order to address this problem, Active Roles makes it possible to quickly build and examine policy check results on individual objects or entire containers. The policy check results provide a list of directory objects violating policies, and describe the detected violations. From the policy check results, you can make appropriate changes to objects or policies:
-
Modify object properties in conformity with policies.
-
Prevent individual objects from being affected by particular policies.
-
Modify Policy Objects as needed.
-
Perform an administrative task—for example, disable or move user objects that violate policies.
In addition, you can save policy check results to a file, print them out, or send them to an email recipient.
For more information on how to check the policy compliance of individual objects, or check if policy compliance works in general, see Checking for policy compliance in the Active Roles Administration Guide.
Overview of Provisioning Policy Objects
To configure provisioning policies for user name and email generation, group memberships, property generation or script running, use the policies available via the Provisioning Policy Objects option.
NOTE: Policy Object settings that are specific to Azure cloud-only objects (such as cloud-only Azure users, guest users, or contacts) are available only if your Active Roles deployment is licensed for managing cloud-only Azure objects. Contact One Identity support for more information.
Also, Policy Objects that are specific to Azure cloud-only objects will work correctly only if an Azure tenant is already configured in the AD of the organization, and Active Roles is already set as a consented Azure application for that Azure tenant. For more information on these settings, see Configuring a new Azure tenant and consenting Active Roles as an Azure applicationConfiguring a new Azure tenant and consenting Active Roles as an Azure application in the Active Roles Administration Guide.
For more information on configuring deprovisioning policies, see Configuring Policy Objects in the Active Roles Administration Guide.
About User Logon Name Generation
The User Logon Name Generation provisioning Policy Object type is used to automate the assignment of pre-Windows 2000 user login names when creating or modifying a user account, with flexible options to ensure the uniqueness of the policy-generated name.
Generating unique names
Generating a unique name is essential. If Active Roles attempts to assign a policy-generated name while an existing user account with the same pre-Windows 2000 user login name already exists, a naming conflict will occur, because Active Directory does not support multiple accounts with the same pre-Windows 2000 user login name. In such cases, to prevent naming conflicts with existing accounts, configure a policy to generate a series of names.
When configuring a User Logon Name Generation policy type, you can define multiple rules so that the policy applies them successively, attempting to generate a unique name in the event of a naming conflict. You can also configure a rule to include an incremental numeric value to ensure uniqueness of the policy-generated name. You also have the option to allow policy-generated names to be modified by operators who create or update user accounts.
How the User Logon Name Generation policy works
When creating a user account, Active Roles relies on the User Logon Name Generation policy type to assign a certain pre-Windows 2000 user login name to the user account. The policy generates the name based on the properties of the user account being created. A policy can include one or more rules that construct the name value as a concatenation of entries that are similar to those you encounter when you are using a Property Generation and Validation policy.
The Uniqueness number is a special entry used to make the policy-generated name unique. A uniqueness number entry represents a numeric value the policy will increment in the event of a naming conflict. For example, a policy can provide the option to change the new name from ExampleUser to ExampleUser1 if there is an existing user account with the pre-Windows 2000 user login name set to ExampleUser. If the name ExampleUser1 is also in use, the new name can be changed to ExampleUser2, and so on.
The policy configuration provides the option to allow or deny manual edits of policy-generated names. You can restrict granting permission to modify a policy-generated name to the case where the name is already in use by another account.
Consider the following specific behavior of the policy:
-
If you have a single policy rule that does not use a uniqueness number, Active Roles simply attempts to assign the generated name to the user account. This operation can fail if the generated name is not unique, that is, the same pre-Windows 2000 user login name is already assigned to a different user account. If the policy allows the manual editing of policy-generated names, you can correct the name, if you have created the user account.
-
If you have multiple policy rules or a rule that uses a uniqueness number, Active Roles adds a button at the client side, next to the User logon name (pre-Windows 2000) field on the user creation and modification forms.
-
To generate a name, click the button next to the User logon name (pre-Windows 2000) field. Clicking the Generate button applies a subsequent rule or increases the uniqueness number by one, and this ensures that the generated name is unique.
-
The following characters are not supported in pre-Windows 2000 user logon names: " / \ [ ] : ; | = , + * ? < >
-
The policy causes Active Roles to deny processing operation requests that assign an empty value to a pre-Windows 2000 user login name.
-
When checking user accounts for policy compliance, Active Roles detects and reports the pre-Windows 2000 user login names that are not compliant with the User Logon Name Generation policy.
For more information on configuring this Policy Object type, see Configuring a User Logon Name Generation policy in the Active Roles Administration Guide.