サポートと今すぐチャット
サポートとのチャット

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Temporal Group Memberships

By using temporal group memberships, Active Roles provides the ability to automate the tasks of adding or removing group members that only need group membership for a specific time period. When adding objects, such as users, computers or groups, to a particular group, an administrator can specify that the objects should be added to the group at the time of choice, as well as indicate when those objects should be removed from the group.

The temporal group membership functionality offered by Active Roles can aid organizations in efficiently assigning users and other objects to groups for a required period of time. Although in many cases objects that are added to a group remain the members of the group for an indefinite period of time, many organizations have requirements of temporarily assigning objects to particular groups. Typical scenarios include allowing access to specific resources for the duration of a certain project, or temporarily allowing an individual to act as a server administrator.

Management of temporal group assignments represents significant challenges for administrators since a high degree of administrative oversight is required to ensure that the group assignments are truly temporary and do not become permanent because of poor control over group memberships. Active Roles addresses these requirements by enabling addition or removal of group members to occur automatically on a scheduled basis.

The temporal group membership functionality expands the benefits of Active Roles in the following areas:

  • Security: By providing tight control over changes to group memberships, including policy-based rules and constraints, change approval, and change auditing, Active Roles reduces security risks for systems, applications and services that use Active Directory groups for access authorization. Adding and removing group members in a timely manner ensure that users have access to systems and resources for only the required amount of time, thereby restricting the possibility and scope of access.

  • Availability: By automatically populating groups based on configurable policy rules, Active Roles makes appropriate network resources available to appropriate users at the time that they need access to those resources. The ability to set a schedule for adding and removing group members is helpful in situations where temporary access is required for a relatively short time period or when numerous requests to change group memberships arise on short notice.

  • Manageability: Active Roles streamlines the management of assigning users to groups as well as removal of members from groups. Consistent and reliable control of these provisioning and de-provisioning activities reduces overhead for those managing Active Directory groups. Unattended, schedule-based handling of temporal group memberships helps assure compliance with change and access policies while simplifying the management of group membership change requests.

  • Compliance: Active Roles lowers regulatory compliance risks by ensuring that proper and effective controls are in place for group memberships. Since Active Directory groups are used to authorize access to systems, applications and data, controlling the assignment of users to groups on a temporal basis helps organizations comply with separation of duties and data privacy requirements.

Active Roles provides the temporal group membership functionality for both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

The temporal group membership functionality automates the tasks of adding and removing users from groups in the situations where users need group memberships for only a specific time period. By applying temporal membership settings, administrators can schedule selected objects to be assigned to a particular group and specify when the objects are to be removed from the group.

The key capabilities provided by Active Roles for managing temporal group memberships are as follows:

  • Add temporal group members: The user interface for selecting objects, in both the Active Roles Console and Web Interface, provides a number of options to specify when the selected objects should be added to the selected group and when the selected objects should be removed from the group. It is possible to add the objects to the group immediately as well as to indicate that the objects should not be removed from the group.

  • View temporal members of a group: The list of group members (the Members page) displayed by the Active Roles Console or Web Interface makes it possible to distinguish between regular group members and temporal group members. In addition, it is possible to hide or display the temporal members that are scheduled to be added to the group in the future but are not actual members of the group so far.

  • View temporal memberships of an object: The list of group memberships for a particular object (the Member Of page) makes it possible to distinguish between the groups in which the object is a regular member and the groups in which the object is a temporal member. It is also possible to hide or display the groups to which the object is scheduled to be added in the future.

  • Reschedule temporal group memberships: Both the Members and Member Of pages provide the ability to view or modify the temporal membership settings. On the Members page for a particular group, you can select a member, and view or modify the date and time when the member should be added or removed from the group. On the Member Of page for a particular object, you can select a group, and view or modify the date and time when the object should be added or removed from the group.

  • Make a temporal member permanent: The temporal membership settings provide the option to indicate that the object should not be removed from the group, thus making a temporal member permanent. If temporal membership settings on a particular object are configured to add the object to a certain group immediately and never remove it from the group, then the object becomes a regular member of that group. Similarly, specifying any other temporal membership settings on a regular member converts it to a temporal member.

  • Remove temporal group members: Both the Members and Member Of pages provide the Remove function for group memberships, whether temporal or regular. When you use the Remove function on temporal members of a group, the members are removed along with all the temporal membership settings that were in effect on those members. The same is true when you use the Remove function on groups in which a particular object is a temporal member.

With the temporal group membership functionality, Active Roles assures that users have group memberships for only the time they actually need to, enforcing the temporal nature of group memberships when required and eliminating the risk of retaining group memberships for longer than needed.

Using temporal group memberships

By using temporal group memberships, you can manage group memberships of objects such as user or computer accounts that need to be members of particular groups for only a certain time period. This feature of Active Roles gives you flexibility in deciding and tracking what objects need group memberships and for how long.

This section guides you through the tasks of managing temporal group memberships in the Active Roles Console. If you are authorized to view and modify group membership lists, then you can add, view and remove temporal group members as well as view and modify temporal membership settings on group members.

Adding temporal members

A temporal member of a group is an object, such as a user, computer or group, scheduled to be added or removed from the group. You can add and configure temporal members using the Active Roles Console.

To add temporal members of a group

  1. In the Active Roles Console, right-click the group and click Properties.

  2. On the Members tab in the Properties dialog, click Add.

  3. In the Select Objects dialog, click Temporal Membership Settings.

  4. In the Temporal Membership Settings dialog, choose the appropriate options, and then click OK:

    1. To have the temporal members added to the group on a certain date in the future, select On this date under Add to the group, and choose the date and time you want.

    2. To have the temporal members added to the group at once, select Now under Add to the group.

    3. To have the temporal members removed from the group on a certain date, select On this date under Remove from the group, and choose the date and time you want.

    4. To retain the temporal members in the group for indefinite time, select Never under Remove from the group.

  5. In the Select Objects dialog, type or select the names of the objects you want to make temporal members of the group, and click OK.

  6. Click Apply in the Properties dialog for the group.

NOTE: Consider the following when adding temporal members of a group:

  • To add temporal members of a group, you must be authorized to add or remove members from the group. You can get the appropriate authorization by applying the Groups - Add/Remove Members Access Template.

  • You can make an object a temporal member of particular groups by managing the object properties rather than the group properties. Open the Properties dialog for that object, and then, on the Member Of tab, click Add. In the Select Objects dialog, specify the temporal membership settings and enter the names of the groups according to your needs.

Viewing temporal members

The list of group members displayed by the Active Roles Console makes it possible to distinguish between regular group members and temporal group members. It is also possible to hide or display so-called pending members, the temporal members that are scheduled to be added to the group in the future but are not actual members of the group so far.

To view temporal members of a group

  1. In the Active Roles Console, right-click the group and click Properties.

  2. Examine the list on the Members tab in the Properties dialog:

    • An icon of a small clock overlays the icon for the temporal members.

    • If the Show pending members check box is selected, the list also includes the temporal members that are not yet added to the group. The icons identifying such members are shown in orange.

The list of group memberships for a particular object makes it possible to distinguish between the groups in which the object is a regular member and the groups in which the object is a temporal member. It is also possible to hide or display so-called pending group memberships, the groups to which the object is scheduled to be added in the future.

To view groups in which an object is a temporal member

  1. In the Active Roles console, right-click the object and click Properties.

  2. Examine the list on the Member Of tab in the Properties dialog:

    • An icon of a small clock overlays the icon for the groups in which the object is a temporal member.

    • If the Show pending group memberships check box is selected, the list also includes the groups to which the object is scheduled to be added in the future. The icons identifying such groups are shown in orange.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択