サポートと今すぐチャット
サポートとのチャット

Active Roles 8.1.5 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Adding activities to a workflow

The Active Roles Console provides the Workflow Designer for creating and configuring workflows. First, you create a workflow definition. Then, you use the Workflow Designer to construct the workflow by adding and configuring workflow activities.

To add an activity to a workflow

  1. In the Active Roles Console tree, expand Configuration > Policies > Workflow, and select the workflow to which you want to add an activity.

    This opens the Workflow Designer window in the Details pane, representing the workflow definition as a process diagram.

  2. In the Details pane, drag the activity from the left panel onto the process diagram.

  3. Right-click the name of the activity in the process diagram and click Properties.

  4. Use the Properties dialog to configure the activity.

If you add an activity to the upper part of the diagram (above the Operation execution line), the activity will be run in the pre-running phase of operation processing. For more information, see Workflow processing overview. If you add an activity to the lower part of the diagram (beneath the Operation execution line), the activity will be run in the post-running phase of operation processing. Certain activities, such as an Approval activity, which are intended to run in the pre-running phase, cannot be added to the lower part of the diagram.

In the Properties dialog, you can change the name and description of the activity. These settings are common to all activities. The name identifies the activity in the process diagram. The description appears as a tooltip when you point to the activity in the process diagram. To remove an activity from the process diagram, right-click the name of the activity and click Delete.

Configuring an Approval activity

The task of configuring an Approval activity includes the following steps:

  • Choose approvers and configure escalation: You have to specify, at a minimum, a list of approvers for the initial approver level. Active Roles first assigns approval tasks to the approvers of that level. You can configure additional approver levels to enable escalation of approval tasks.

  • Choose properties for the approver to review, supply or change: You can list the object properties that the approver must supply when performing the approval tasks (request for additional information), and choose whether the approver is allowed to view or change the object properties that are submitted for approval (review request).

  • Customize the pages for performing the approval task: You can customize the header of the approval task page by choosing the task title and object properties to be included in the header, and configure custom action buttons in addition to the default action buttons (Approve and Reject).

  • Configure notification: You can choose the workflow events to notify of, specify the notification recipients and delivery options, and customize the notification message.

This section provides instructions on the following configuration procedures:

For more information on how to configure notification settings, see Configuring a Notification activity.

Configuring approvers

A valid approval rule must, at a minimum, specify a list of approvers for the initial approver level. Active Roles first assigns the approval task to the approvers of that level. You can configure additional approver levels to enable escalation of approval tasks.

To specify approvers for the initial approver level

  1. In the Active Roles Console tree, expand Configuration > Policies > Workflow, and select the workflow containing the Approval activity you want to configure.

    This opens the Workflow Designer in the Details pane, representing the workflow definition as a process diagram.

  2. In the process diagram, right-click the name of the Approval activity and click Properties.

  3. In the Properties dialog, navigate to the Approvers tab.

  4. Verify that the Initial approver - level 0 item is selected in the Select approver level to configure box.

  5. Click Designate approvers.

  6. On the Approvers Selection page, select check boxes to specify approvers.

  7. If you have selected These users or groups, use the Add and Remove buttons to configure the list of approvers.

If you enable escalation on the initial approver level (see Configuring escalation), then you have to specify approvers for escalation level 1 (the escalation level subsequent to the initial approver level). Active Roles supports up to 10 escalation levels, each containing a separate list of approvers. If you enable escalation on a given escalation level, then you have to specify approvers for the subsequent escalation level.

To specify approvers for a certain escalation level

  1. In the Select approver level to configure list, click the escalation level you want to configure.

    To configure a particular escalation level, you must first specify approvers and enable escalation on the preceding approver level.

  2. Click Designate approvers.

  3. On the Approvers Selection page, select check boxes to specify approvers.

  4. If you have selected These users or groups, use the Add and Remove buttons to configure the list of approvers.

The selection of approvers can be based on the Manager or Managed By property:

  • By selecting the Manager of person who requested operation check box, you configure the Approval activity so that the operations requested by a given user require approval from the manager of that user. With this option, the operation initiated by the user submits the approval task to the person specified as the manager of the user in the directory.

  • By selecting the Manager of operation target object or Manager of Organizational Unit where operation target object is located check box, you configure the Approval activity so that the changes to a given object require approval from the manager of that object or from the manager of the OU containing that object, respectively. With these options, the operation requesting changes to a given object submits the approval task to the person specified as the manager of the object or OU in the directory.

  • By selecting the Secondary owners of operation target object check box, you configure the Approval activity so that the changes to the operation target object require approval from any person who is designated as a secondary owner of that object. Secondary owners may be assigned to an object, in addition to the manager (primary owner), to load balance the management of the object.

  • By selecting the Manager of person being added or removed from target group check box, you configure the Approval activity so that the addition or removal of an object from the operation target group requires approval from the manager of that object. For example, given a request to add a user to the operation target group, this option causes the Approval activity to submit the approval task to the person specified as the manager of the user in the directory.

When you specify approvers for an escalation level, additional options are available:

  • Manager of approver of preceding level: Use this option to escalate the approval task to the manager of the user or group that is designated as an approver on the preceding approver level. Suppose a given user is an initial approver, and escalation is enabled on the initial approver level. When escalation occurs, the approval task will be assigned to the manager of that user.

  • Secondary owner of approver of preceding level: Use this option to escalate the approval task to the secondary owner of the user or group that is designated as an approver on the preceding approver level. Suppose a given group is an initial approver, and escalation is enabled on the initial approver level. When escalation occurs, the approval task will be assigned to the secondary owner of that group.

The selection of approvers may also be based on a script function that chooses the approver when the Approval activity is being executed. The function may access properties of objects involved in the operation, analyze the properties, and return an identifier of the user or group to be selected as an approver.

Configuring escalation

An Approval activity may define multiple approver levels, each containing a separate list of approvers. Active Roles uses approver levels when escalating time-limited approval tasks. For each approver, level the Approval activity can specify a certain time period. If an approver of a given level does not complete the approval task within the specified time period, then Active Roles assigns the task to the approvers of the next level. This process is called escalation.

A valid Approval activity must specify a list of approvers for the initial approver level. Active Roles first assigns the approval task to the approvers of that level. To enable escalation, a separate list of approvers must be specified for the subsequent escalation level.

To configure escalation on the initial approver level

  1. Specify approvers for the initial approver level (for instructions, see Configuring approvers).

  2. Verify that the Initial approver - level 0 item is selected in the Select approver level to configure box.

  3. Select one or both of these options:

    • Approval task has a time limit of <number> days <number> hours: Specify the time period within which the initial approver has to complete the approval task.

    • Allow approver to escalate approval task: When selected, allows the approvers of the initial level to reassign their approval tasks to the approvers of escalation level 1.

  4. If you have selected only the first option (a time limit for the task), then select the Escalate approval task to Escalation level 1 option. Otherwise, escalation is not enabled.

  5. In the Select approver level to configure box, click Escalation level 1.

  6. Specify approvers for escalation level 1 (for instructions, see Configuring approvers).

Active Roles allows up to 10 escalation levels, each containing a separate list of approvers. You can configure escalation levels one after another to create an escalation chain. Thus, after you have configured escalation on the initial approver level, you can configure escalation on escalation level 1, then you can configure escalation on escalation level 2, and so on. As a result, you could achieve the following sequence of events:

  • If the initial approvers do not complete the approval task on time, then the task is assigned to the approvers of escalation level 1.

  • If the approvers of escalation level 1 do not complete the approval task within their time frame, the task is assigned to the approvers of escalation level 2 with the new time limit. This escalation chain may contain up to 10 escalation levels.

To configure escalation on a certain escalation level

  1. In the Select approver level to configure list, click the escalation level you want to configure.

    To configure a particular escalation level, you must first specify approvers and enable escalation on the preceding approver level.

  2. Select one or both of these options:

    • Approval task has a time limit of <number> days <number> hours: Specify the time period within which the initial approver has to complete the approval task.

    • Allow approver to escalate approval task: When selected, allows the approvers of the current level to reassign their approval tasks to the approvers of the next level.

  3. If you have selected only the first option (a time limit for the task), then select the Escalate approval task to Escalation level <number> option. Otherwise, escalation is not enabled.

  4. In the Select approver level to configure box, click the item representing the subsequent escalation level.

    For example, if you are configuring escalation level 1, click the Escalation level 2 list item.

  5. Specify approvers for the subsequent escalation level (for instructions, see Configuring approvers).

NOTE: Each approver level has separate configuration, so the escalation options of a specific level apply only to that level. Therefore, each approver level has a separate time limit, the option that determines whether to escalate the approval task after the time limit has expired, and whether the approvers of that level are allowed to escalate the approval task manually.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択