サポートと今すぐチャット
サポートとのチャット

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Managing Access Template links

When you apply an Access Template (as described in Applying Access Templates), Active Roles creates an Access Template link that stores information about:

  • The Access Template used for giving the permissions.

  • The directory object on which the Access Template is applied.

  • The user or group (Trustee) to whom the permissions are assigned.

If needed, you can modify the link via the Active Roles Console.

TIP: For more information about Access Template links, see Access Template link management in the Active Roles Feature Guide.

To view or modify Access Template links in which a given Access Template occurs

  1. Right-click the Access Template, and click Links.

  2. In the Links dialog, do the following:

    • To create a new link, click Add and follow the steps in the Delegation of Control Wizard to apply an Access Template. For more information, see Applying Access Templates.

    • To delete a link, select it from the list and click Remove.

    • To view or modify the inheritance and synchronization settings for a link, select the link and click View/Edit.

    • To change the synchronization setting for a link, select the link and click Sync to AD or Desync to AD.

    • To remove or restore the effect of a link, select the link and click Disable or Enable, respectively.

To view or modify Access Template links on a given object

  1. Open the Active Roles Security dialog for the object with one of the following methods:

    • Right-click the object, and click Delegate Control.

    • Right-click the object, and click Properties. Then, on the Administration tab in the Properties dialog, click Security.

  2. In the Active Roles Security dialog, do the following:

    • To create a new link, click Add and follow the steps in the Delegation of Control Wizard to specify permission settings on the object by using an Access Template. For more information, see Applying Access Templates.

    • To delete a link, select it from the list and click Remove.

    • To view or modify the inheritance and synchronization settings for a link, select the link and click View/Edit.

    • To change the synchronization setting for a link, select the link and click Sync to AD or Desync to AD.

    • To remove or restore the effect of a link, select the link and click Disable or Enable, respectively.

To view or modify Access Template links for a given user or group

  1. Right-click the user or group, and click Delegated Rights.

  2. In the Delegated Rights dialog, do the following:

    • To create a new link, click Add and follow the steps in the Delegation of Control Wizard to specify permissions for the user or group by using an Access Template. For more information, see Applying Access Templates.

    • To delete a link, select it from the list and click Remove.

    • To view or modify the inheritance and synchronization settings for a link, select the link and click View/Edit.

    • To change the synchronization setting for a link, select the link and click Sync to AD or Desync to AD.

    • To remove or restore the effect of a link, select the link and click Disable or Enable, respectively.

NOTE: Consider the following when managing Access Template links:

  • By default, the Active Roles Security dialog for an object lists all the links that determine the permission settings on the object, regardless of whether a link was created on the object itself or on a container or Managed Unit that holds the object. To change the display of the list, clear the Show inherited check box.

  • In the Active Roles Security dialog, only direct links can be removed, that is, a link can be removed if the link was created on the object itself (not inherited from a container or Managed Unit). Only direct links are displayed when you clear the Show inherited check box, so you can delete them by clicking Remove.

  • In the Active Roles Security dialog, the Remove button is available only on direct links. When you need to delete links, it is advisable to manage this by using the Links command on the Access Template or by using the Delegated Rights command on the Trustee (user or group).

    Alternatively, you can delete a link by using the View/Edit option. Select the link and click View/Edit. Then, click Properties next to the Access Template box. After that, on the Administration tab, click Links. Finally, delete the link from the Links dialog.

  • In the Active Roles Security dialog, the Sync to AD button is available only on direct links. When you need to change synchronization status of a link, it is advisable to manage this by using the Links command on the Access Template or by using the Delegated Rights command on the Trustee (user or group).

    Alternatively, you can change the synchronization status of a link by using the View/Edit option. Select the link and click View/Edit. Then, on the Synchronization tab, select or clear Propagate permissions to Active Directory.

  • Clicking View/Edit displays the Properties dialog for the selected link. This dialog can be considered as a focal point for administration of all elements of the link. Thus, from the Properties dialog, you can access the properties of the directory object, Access Template and Trustee that are covered by the link, view or modify the settings found on the Inheritance Options and Permissions Propagation pages in the Delegation of Control Wizard, and enable or disable the link.

  • You can also manage Access Template links on the Links or Active Roles Security tab in the Advanced Details Pane, which allows you to perform the same tasks as the Links or Active Roles Security dialog, respectively. Right-click a link or a blank area on the tab, and use command on the shortcut menu. The Links tab is displayed when you select an Access Template. Otherwise, the Active Roles Security tab is displayed. To display the Advanced Details Pane, check Advanced Details Pane on the View menu. For more information, see Advanced pane in the Active Roles Feature Guide.

Synchronizing permissions to Active Directory

Active Roles provides the option to keep Active Directory native security updated with selected permission settings that are specified by using Access Templates. This option, referred to as "permission propagation", is intended to provision users and applications with native permissions to Active Directory. The normal operation of Active Roles does not rely on this option.

You can set the permissions propagation option as follows:

  • When applying an Access Template, select the Propagate permissions to Active Directory check box in the Delegation of Control Wizard. For more information, see Applying Access Templates.

  • When managing Access Template links, use the Sync to AD button in the dialog that displays a list of links. For more information, see Managing Access Template links.

As an example, you can use the following instructions to set the permissions propagation option on the permission settings that are defined by applying a certain Access Template to an Organizational Unit (OU):

To synchronize permission settings on an OU

  1. Right-click the OU and click Delegate Control.

  2. In the Active Roles Security dialog, select the Access Template link that determines the permission settings you want to synchronize to Active Directory, then click Sync to AD.

  3. Click OK to close the Active Roles Security dialog.

NOTE: Consider the following when configuring permission propagation:

  • When synchronizing permissions to Active Directory, Active Roles creates permission entries in Active Directory so that the Trustee has the same rights in Active Directory as it has in the Active Roles environment as per the Access Template links you have synchronized.

  • You can stop synchronization of permissions at any time by clicking Desync to AD. If you do so, Active Roles deletes all permission entries in Active Directory that were created as a result of synchronization.

  • In the Active Roles Security dialog, the Sync to AD button is only available on direct links. When you need to synchronize links, it is advisable to manage them using the Links command on the Access Template.

  • You can also manage the permissions propagation option on the Links or Active Roles Security tab in the Advanced Details Pane, which allows you to perform the same tasks as the Links or Active Roles Security dialog, respectively. Right-click the link on which you want to set the permissions propagation option, and click Sync to AD to start synchronization or Desync to AD to stop synchronization. The Links tab is displayed when you select an Access Template. Otherwise, the Active Roles Security tab is displayed. To display the Advanced Details Pane, check Advanced Details Pane on the View menu. For more information, see Advanced pane in the Active Roles Feature Guide.

Adding, modifying, or removing Access Template permissions

Even after creating a new Access Template, you can:

To change the configured permissions of an existing Access Template, use the Active Roles Console.

Adding permissions to an Access Template

You can add permission entries to an Access Template via the Active Roles Console.

To add a permission entry to an Access Template

  1. In the Console tree, under Configuration > Access Templates, locate and select the folder that contains the Access Template you want to modify.

  2. In the details pane, right-click the Access Template, and click Properties.

  3. On the Permissions tab, click Add, and then use the Add Permission Entries Wizard to configure a permission entry.

    For detailed instructions on how to add a permission entry to an Access Template, see Creating an Access Template.

NOTE: Consider the following when working with an Access Template:

  • The Permissions tab lists the permission entries that are configured in the Access Template. You can use the Permissions tab to add, modify, or delete permission entries from the Access Template.

  • Once you apply an Access Template in Active Roles to specify directory permissions, any changes to the list of permission entries in the Access Template will result in the directory permissions changing accordingly.

  • Active Roles includes a suite of predefined Access Templates. The list of permission entries in a predefined Access Template cannot be modified. If you need to add, modify, or delete permission entries from a predefined Access Template, create a copy of that Access Template, then make changes to the copy. Another option is to create an Access Template and nest the predefined Access Template into the newly created Access Template. For instructions, see Creating an Access Template, Copying an Access Template, and Managing nested Access Templates.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択