The Notification pane displays the notification specific to Starling operations. The notifications are classified into Starling Connect and Updates.
IMPORTANT: Consider the following when configuring notifications for Starling operations:
-
You must enable Port 7465 (HTTP) TCP Inbound/Outbound and Port 7466 (HTTPS) TCP Inbound/Outbound for the notifications to work. For more information, see Access to the managed environment.
-
The Web Interface machine must be able to resolve Service machine name for notifications to work.
To view the Starling Connect notification
-
On the Active Roles Web Interface, click the notification icon.
Starling Connect and Updates tabs are displayed.
-
Click the Starling Connect tab to view the notifications specific to SaaS operations.
NOTE: The latest five notifications are sent only to the initiator of the operation.
To view the Updates
-
On the Active Roles Web Interface, click the notification icon.
Starling Connect and Updates tabs are displayed.
-
Click the Updates tab to view the important updates about Starling.
-
For more information on the notification, click Read More.
NOTE: The notifications are sent to all the users who have joined Starling on the Administration website.
To view notifications on the Notifications page
-
On the Active Roles Web Interface, click the notification icon.
Starling Connect and Updates tabs are displayed.
-
Click the Starling Connect tab to view the notifications specific to SaaS operations.
The latest five notifications are displayed with the configuration status and a brief description.
-
Click View all notifications to view the details about the notification.
The Notification page is displayed.
-
Click Filter drop-down menu to filter the notifications based on time, connector name , status, and keywords.
-
Select the required notifications and click Export to CSV from the Action drop-down. Click Go. You can also delete a notification by selecting a particular checkbox.
-
Point the mouse to the notification in the Message column to view a detailed description. Expand the connector information available next to the connector check box to view the detailed description. The description pane gives the link to Change History of that particular object for more details. You can also copy the message in case of a failure.
Configuring notification settings
You can configure notifications settings from the Home screen > Settings page and Home screen > Customization > Global Settings.
To configure notification settings on the Settings page
-
On the Active Roles Web Interface, click the Settings.
The Settings page is displayed.
-
On the Settings page, enter the time in minutes for which the notification is to be visible in Time (in minutes) for which the notification is visible field.
NOTE: By default, the time is set to 0 and the notifications do not expire. You can update the time to the required limit in minutes.
-
Enter the number of notifications to be stored in Maximum number of notifications to be stored in Active Roles field.
NOTE: The maximum number of notifications that can be stored is 1000.
To configure notification settings on the Customization page
-
On the Active Roles Web Interface, click the Customization.
The Customization page is displayed.
-
On the Customization page, click Global Settings.
-
In the Settings applied for every user of the Web Interface by default section, enter the time in minutes for which the notification is to be visible in Time (in minutes) for which the notification is visible field.
NOTE: By default, the time is set to 0 and the notifications do not expire. You can update the time to the required limit in minutes.
-
Enter the number of notifications to be stored in Maximum number of notifications to be stored in Active Roles field.
NOTE: The maximum number of notifications that can be stored is 1000.
IMPORTANT: For notifications to work as expected, you must perform the following, if you are using Active Roles website over HTTPS:
-
Import a valid certificate into Trusted Root Certificate Authority in the machine where Active Roles Service is installed.
-
In the below command, substitute thumbprint of the newly added certificate to CERT_HASH.
-
In the below command, substitute a Unique GUID to APP_ID.
-
Run the command below in PowerShell command interface:
netsh http add sslcert ipport=0.0.0.0:7466 appid='{APP_ID}' certhash=<CERT_HASH>.
Active Roles provides support to connect to Starling Connect to manage the user provisioning and deprovisioning activities for the registered connectors. This is achieved through the internal attribute mapping mechanism. The AD attributes are mapped to SCIM attributes to perform each operation.
Table 84: SCIM attribute mapping with Active Directory for Users
| SCIM |
Active Directory |
|
displayName |
displayName |
|
givenName |
givenName |
|
familyName |
sn |
|
middleName |
middleName |
|
title |
title |
|
password |
edsaPassword |
|
streetAddress |
streetAddress |
|
locality |
city |
|
postalCode |
postalCode |
|
region |
state |
|
country |
c |
|
active |
edsaAccountIsDisabled |
|
userName |
edsvauserName |
|
honorificPrefix |
initials |
|
formattedName |
cn |
|
emails |
proxyAddresses,mail |
|
preferredLanguage |
preferredLanguage |
|
description |
description |
|
emailEncoding |
edsvaemailEncoding |
|
alias |
edsvaalias |
|
division |
division |
|
company |
company |
|
department |
department |
|
homePage |
wWWHomePage |
|
lastLogon |
lastLogon |
|
accountExpires |
accountExpires |
|
timezone |
edsvatimezone |
|
entitlements |
edsvaentitlements |
|
employeeNumber |
employeeNumber |
|
cn |
cn |
|
userPermissionsMarketingUser |
edsvauserPermissionsMarketingUser |
|
userPermissionsOfflineUser |
edsvauserPermissionsOfflineUser |
|
userPermissionsAvantgoUser |
edsvauserPermissionsAvantgoUser |
|
userPermissionsCallCenterAutoLogin |
edsvauserPermissionsCallCenterAutoLogin |
|
userPermissionsMobileUser |
edsvauserPermissionsMobileUser |
|
userPermissionsSFContentUser |
edsvauserPermissionsSFContentUser |
|
userPermissionsKnowledgeUser |
edsvauserPermissionsKnowledgeUser |
|
userPermissionsInteractionUser |
edsvauserPermissionsInteractionUser |
|
userPermissionsSupportUser |
edsvauserPermissionsSupportUser |
|
userPermissionsLiveAgentUser |
edsvauserPermissionsLiveAgentUser |
|
locale |
localeID |
|
phoneNumbers |
telephoneNumber,mobile,homePhone |
|
manager |
manager |
|
desiredDeliveryMediums |
edsvadesiredDeliveryMediums |
|
nickname |
edsvanickname |
Table 85: SCIM attribute mapping with Active Directory for Groups
|
SCIM |
Active Directory |
|
displayName |
cn |
|
members |
member |
|
email |
mail |
|
manager |
managedBy |
Configuring linked mailboxes with Exchange Resource Forest Management
The Exchange Resource Forest Management (ERFM) feature of Active Roles allows you to automate mailbox provisioning for on-premises users in environments where the mailboxes and the user accounts are managed in different Active Directory (AD) forests. Such multi-forest environments are based on the resource forest model, and mailboxes provisioned in such environments are called linked mailboxes.
Multi-forest AD deployments have higher administrative and support costs. However, they offer the highest level of security isolation between AD objects and the Exchange service. As such, One Identity recommends configuring the resource forest model for use with Active Roles in organizations that:
-
Aim for an extra layer of data security.
-
Frequently experience organizational changes (for example, buying companies, or consolidating and breaking off branch companies, departments and other business units).
-
Abide by certain legal or regulatory requirements.
AD deployments following the resource forest model use two types of AD forests:
-
Account forests: These AD forests store the user objects. Organizations can use one or more account forests in the resource forest model.
-
Resource forest: This AD forest contains the Exchange server and stores the mailboxes of the user objects.
For more details on ERFM, see Exchange Resource Forest Management in the Active Roles Feature Guide.
To use linked mailboxes with Exchange Resource Forest Management (ERFM) in Active Roles for your organization, your deployment must meet the following requirements.
Multi-forest deployment
Your organization must have at least two Active Directory (AD) forests:
-
Account forest: One or more forests that contain the user accounts.
-
Resource forest: A forest that contains the Exchange server and will store the mailboxes and the shadow accounts connecting the linked mailboxes to the user objects. ERFM requires a supported version of Exchange Server installed in the resource forest. For more information on the Microsoft Exchange Server versions supported by Active Roles, see System requirements in the Active Roles Release Notes.
For more information on planning and configuring multi-forest AD deployments, see Setting up a forest trust to support linked mailboxes and Plan a multi-forest deployment in the Microsoft documentation.
For more information on the Microsoft Exchange Server versions Active Roles supports, see Supported platforms in the Active Roles Release Notes.
Two-way trust relation
The resource and account forests must identify each other as trusted domains (that is, they must be in a two-way trust relation).
Applying the ERFM - Mailbox Management built-in policy
You must apply the ERFM - Mailbox Management built-in policy (or a copy of it) on the Organizational Unit (OU) whose users will use linked mailboxes. For more information, see Applying the ERFM Mailbox Management policy to an OU.
(Optional) Modifying the ERFM scheduled task
Once the ERFM - Mailbox Management built-in policy is configured for an OU, Active Roles synchronizes the properties of every managed master user account to the corresponding shadow account with the ERFM - Mailbox Management built-in scheduled task.
By default, the scheduled task runs on a daily basis, and normally, you do not need to modify its settings. To change the default ERFM scheduling (for example, because of organizational reasons), or run it manually so that you can immediately identify master accounts in your OU, see Configuring the ERFM Mailbox Management scheduled task.
(Optional) Changing the default location of the shadow accounts
By default, the ERFM - Mailbox Management built-in policy saves shadow accounts in the Users container of the resource forest. If your organization stores other users as well in the Users container, then One Identity recommends changing the container for storing the shadow accounts for clarity.
For more information, see Changing the location of the shadow accounts.
(Optional) Modifying the synchronized properties of the master account
By default, ERFM synchronizes a pre-defined set of user and mailbox properties between the master accounts and shadow accounts. If you need to modify and/or expand the default set of synchronized properties (for example, because of organizational reasons), open and update the applicable ERFM - Mailbox Management policy settings.
For the list of default synchronized properties and more information on changing them, see Configuring the synchronized, back synchronized or substituted properties of linked mailboxes.
(Optional) Delegating Exchange Access Templates
If you want to manage linked mailboxes with non-administrator users, you must assign one or more of the following Exchange Access Templates (ATs) to them in the Active Roles Console:
-
Exchange - Manage Resource, Linked and Shared Mailboxes
-
Exchange - Convert Linked Mailbox to User Mailbox
-
Exchange - Convert User Mailbox to Linked Mailbox
-
Exchange - Create Linked Mailboxes
-
Exchange - Read ERFM Attributes
-
Exchange - Recipients Full Control
TIP: To provide full control for a user to create, view, or change linked mailboxes in the Exchange forest, assign the Exchange - Recipients Full Control AT to them.
For more information on how to apply ATs, see Applying Access Templates.
