Chatta subito con l'assistenza
Chat con il supporto

Active Roles 8.2.1 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
About presentation components Overview of service components About network data sources About security and administration elements About Active Directory security management Customization using ADSI Provider and script policies About dynamic groups About workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
About Managed Units About Access Templates About Access Rules About rule-based autoprovisioning and deprovisioning
Configuring and administering Active Roles Overview of Active Roles Synchronization Service Support for AWS Managed Microsoft AD FIPS compliance LSA protection support STIG compliance

Main steps of policy extension

Implementing custom policy extensions has two main steps:

  • Deploying Policy Types.

  • Using Policy Types.

Deploying Policy Types

Deploying a custom Policy Type includes:

  1. Developing a script that implements the policy action and declares the policy parameters.

  2. Creating a Script Module containing the script.

  3. Creating the Policy Type object referring to that Script Module.

Alternatively, to deploy a Policy Type to a different environment, you can:

  1. Export the Policy Type to an export file in the source environment.

  2. Import the file in the destination environment.

TIP: Exporting custom Policy Types makes it easy to distribute them throughout your organization.

For more information, see the following resources:

  • For details on how to script Policy Type objects, refer to the Active Roles SDK.

  • For the steps of exporting and importing custom Policy Types, see Exporting Policy Type and Importing Policy Type in the Active Roles Administration Guide.

TIP: One Identity recommends developing custom Policy Types in a separate environment, then exporting the final Policy Type for use.

Using Policy Types

Using the custom Policy Types means that you configure a new Policy Object that will use the custom Policy Types, or add the custom policies to an existing Policy Object.

For example, the New Provisioning Policy Object Wizard and New Deprovisoning Policy Object Wizard both have a Policy to Configure page for selecting a policy. By default, this page lists the built-in Policy Types shipped with Active Roles, but once you have custom Policy Types created, they will appear in this list, too.

If you select a custom Policy Type, the wizard provides a page for configuring the policy parameters specific to that Policy Type. After you complete the wizard, the Policy Object contains a fully functional policy of the selected custom Policy Type.

Active Roles provides a graphical user interface, complete with a programming interface, for creating and managing custom Policy Types. Using those interfaces, you can extend Active Roles policies to meet the needs of a particular environment. Active Roles also has a deployment mechanism that you can use to roll out new Policy Types.

For the steps of configuring Policy Objects with custom Policy Types, see Creating a Policy Type object in the Active Roles Administration Guide.

Active Roles interfaces to manage custom Policy Types

When using custom Policy Types, the various Active Roles components have the following roles in storing, maintaining and exposing the custom Policy Types:

  • The Administration Service maintains Policy Type definitions, exposing Policy Types to its clients such as the Active RolesConsole or ADSI Provider.

  • The Active Roles Console supports:

    • Creating a new custom Policy Type, either from scratch or by importing a Policy Type that was exported from another environment.

    • Modifying existing custom Policy Types.

    • Adding a policy of a particular custom type to a Policy Object, making the necessary changes to the policy parameters provided for by the Policy Type definition.

Main attributes of policy extension

Policy extension is based on custom Policy Types, each of which represents a single type of policy.

When deploying a new custom policy, you must create a new Policy Type object. Then, when adding the custom policy to a Policy Object, Active Roles retrieves the definition of the custom policy from the respective custom Policy Type.

Policy types have the following attributes to specify the properties of custom policies:

  • Display name: Identifies the Policy Type. This name appears in the New Provisioning Policy Object Wizard and New Deprovisoning Policy Object Wizard when you select the policy to configure, or adding a policy to an existing Policy Object.

  • Description: Describes the Policy Type. This text appears in the New Provisioning Policy Object Wizard and New Deprovisoning Policy Object Wizard when you select the policy to configure, or adding a policy to an existing Policy Object.

  • Reference to Script Module: Identifies the script to run when initiating the Policy Type. When adding a policy of a custom Policy Type, you effectively create a policy that runs the script from the Script Module specified by the respective Policy Type.

  • Policy Type category: Identifies the Policy Object category to which you can add the Policy Type. A Policy Type can be either Provisioning or Deprovisioning, allowing policies of that type to be added either to provisioning or deprovisioning Policy Objects, respectively.

  • Function to declare parameters: Identifies the name of the script function that declares the configurable parameters of the administration policy that is based on the Policy Type. This script function must exist in the Script Module selected for the Policy Type. By default, Active Roles expects that the parameters are declared by the onInit function.

  • Policy Type icon: The image that appears next to the display name of the Policy Type on the wizard page where you select a policy to configure, to help identify and visually distinguish this Policy Type from the other Policy Types.

To create a custom policy, you must:

  1. Create a Script Module that will hold the policy script.

  2. Create the Policy Type referring to that Script Module.

  3. Add the custom Policy Type to a Policy Object.

If you import a Policy Type, Active Roles automatically creates both the Script Module and the Policy Type.

For the steps of configuring Policy Objects with custom Policy Types, see Creating a Policy Type object in the Active Roles Administration Guide.

Configuring and administering Active Roles

This section summarizes the major configuration, deployment, and maintenance features of Active Roles.

About the Active Roles Setup wizard

The Active Roles Setup wizard facilitates the evaluation, deployment, upgrade and configuration of Active Roles. The key highlights of the wizard include the following:

  • Unified setup process: Active Roles is shipped with a single wizard for installing all core product components, including the Administration Service, the Web Interface, and the Console (also known as the MMC Interface).

  • Configuration Center: After installation, Active Roles launches the Configuration Center, an application that you can use to perform the core configuration tasks after installation, or to finish upgrading Active Roles. As such, the Configuration Center lets you configure Administration Service instances and deploy Web Interface sites. For more information on the Configuration Center, see About Active Roles Configuration Center.

  • Side-by-side deployment: The Active Roles Setup allows you to deploy new Active Roles versions side-by-side on the same computers with Active Roles 6.9. This allows you to use the same hardware and infrastructure to run newer versions of Active Roles while also keeping Active Roles 6.9 deployed for your business needs.

    CAUTION: Upgrading from Active Roles 6.9 to a newer version is only meant to be a temporary solution, as the side-by-side installation of two different Active Roles versions can have a negative impact on the environment.

    Different versions of Active Roles are not supported in the same Active Directory (AD) domain. Different versions of Active Roles servers in the same AD domain will cause issues with dynamic groups, policies, workflows, custom scripts, and conflicts in product functionality.

    When upgrading Active Roles to a later version, One Identity recommends to upgrade all servers running Active Roles components to the same version, otherwise the configuration is not supported.

    For more information, see Knowledge Base Article 4307177.

    NOTE: To avoid potential conflicts with Active Roles 6.9, newer versions of the product use a different name for the Windows service of the Administration Service and for the default Web Interface sites.

  • Separate component installation files: Although the Active Roles Setup allows you to install every major product component at once, the installation *.iso delivers each component (such as the Administration Service, the Web Interface, the Add-on Manager, the SPML Provider, or the Management Shell) in separate *.msi files. This allows you to install the various Active Roles components individually without the need of running the Active Roles Setup.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione