サポートと今すぐチャット
サポートとのチャット

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Policy type deployment

The deployment process involves: the development of a script that implements the policy action and declares the policy parameters; the creation of a Script Module containing that script; and the creation of a Policy Type object referring to that Script Module. To deploy a policy type to a different environment, an administrator can export the policy type to an export file in the source environment and then import the file in the destination environment. Using export files makes it easy to distribute custom policy types.

Policy type usage

This is the process of configuring policies. It occurs when an administrator creates a new Policy Object or adds policies to an existing Policy Object. For example, the wizard for creating a Policy Object includes a page that prompts to select a policy. The page lists the policy types defined in Active Roles, including the custom policy types. If a custom policy type is selected, the wizard provides a page for configuring the policy parameters specific to that policy type. Once the wizard is completed, the Policy Object contains a fully functional policy of the selected custom type.

Active Roles provides a graphical user interface, complete with a programming interface, for creating and managing custom policy types. Using those interfaces, Active Roles policies can be extended to meet the needs of a particular environment. Active Roles also has a deployment mechanism by which administrators put new types of policy into operation.

Since policy extension involves two interactions, Active Roles provides solutions in both areas. The Administration Service maintains policy type definitions, exposing policy types to its clients such as the Active Roles Console or ADSI Provider. The Console can be used to:

  • Create a new custom policy type, either from scratch or by importing a policy type that was exported from another environment.

  • Make changes to the definition of an existing custom policy type.

  • Add a policy of a particular custom type to a Policy Object, making the necessary changes to the policy parameters provided for by the policy type definition.

Normally, an Active Roles expert develops a custom policy type in a separate environment, and then exports the policy type to an export file. An Active Roles administrator deploys the policy type in the production environment by importing the export file. After that, the Active Roles Console can be used to configure and apply policies of the new type.

Policy Type objects

The policy extensibility feature is built upon Policy Type objects, each of which represents a single type of policy. Policy Type objects are used within both the policy type deployment and policy type usage processes. The process of deploying a new policy type involves the creation of a Policy Type object. During the process of adding a policy of a custom type, the policy type definition is retrieved from the respective Policy Type object.

Each Policy Type object holds the following data to define a single policy type:

  • Display name: Identifies the policy type represented by the Policy Type object. This name is displayed on the wizard page where you select a policy to configure when creating a new Policy Object or adding a policy to an existing Policy Object.

  • Description: A text describing the policy type. This text is displayed when you select the policy type in the wizard for creating a new Policy Object or in the wizard for adding a policy to an existing Policy Object.

  • Reference to Script Module: Identifies the script to run upon the execution of a policy of this type. When adding a policy of a custom policy type, you effectively create a policy that runs the script from the Script Module specified by the respective Policy Type object.

  • Policy Type category: Identifies the category of Policy Object to which a policy of this type can be added. A policy type may have the category option set to either Provisioning or Deprovisioning, allowing policies of that type to be added to either provisioning or deprovisioning Policy Objects respectively.

  • Function to declare parameters: Identifies the name of the script function that declares the configurable parameters for the administration policy that is based on this policy type. The function must exist in the Script Module selected for the policy type. By default, it is assumed that the parameters are declared by the function named onInit.

  • Policy Type icon: The image that appears next to the display name of the policy type on the wizard page where you select a policy to configure, to help identify and visually distinguish this policy type from the other policy types.

To create a custom policy type, you first need to create a Script Module that holds the policy script. Then, you can create a Policy Type object referring to that Script Module. When you import a policy type, Active Roles automatically creates both the Script Module and the Policy Type object for that policy type. After the Policy Type object has been created, you can add a policy of the new type to a Policy Object.

Creating and managing custom policy types

In Active Roles, Policy Type objects provide the ability to store the definition of a custom policy type in a single object. Policy Type objects can be exported and imported, which makes it easy to distribute custom policies to other environments.

When creating a new Policy Object or adding a policy to an existing Policy Object, an administrator is presented with a list of policy types derived from the Policy Type objects. Selecting a custom policy type from the list causes Active Roles to create a policy based on the settings found in the respective Policy Type object.

This section covers the following tasks specific to custom policy types:

For more information about Policy Type objects, including instructions on scripting for Policy Type objects, refer to the Active Roles SDK.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択