サポートと今すぐチャット
サポートとのチャット

Active Roles 8.2 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Configuring Active Roles SPML Provider

Configuration settings allow the administrator to configure SPML Provider and its schema in order to adjust the SPML Provider behavior. Administrators can, for example, specify the required managed objects and attributes in the schema, or choose the type of execution (disabling or deprovisioning objects) for the Suspend operation.

Configuring SPML Provider settings in the SPML.Config file

The SPML Provider configuration settings can be found in the SPML.Config file located in the Web subfolder of the SPML Provider installation folder. The SPML.Config file contains data in the XML format. You can open and edit the configuration file with a common text editor, such as Notepad.

NOTE: After you modify configuration settings,restart the IIS application pool for the SPML Provider website for the changes to take effect.

The following table describes the XML elements used in the SPML Provider configuration file.

Table 65: XML elements used in the SPML Provider configuration file

Element

Parent element

Description

service

configuration

In proxy mode, specifies the name of the computer running the Active Roles Administration Service. In direct access mode, specifies the name of the AD domain controller or AD LDS server. The name of the AD LDS server must be in the form <servername:portnumber>.

adsiProvider

configuration

Specifies the progID of the ADSI Provider. In proxy mode, the progID is EDMS. In direct access mode, the progID is LDAP.

schemaFile

configuration

Contains the name of the file that defines the DSML Profile schema for SPML Provider. By default, the file name is SPMLSchema.Config. The schema file must be located in the same folder as the SPML.Config file.

defaultMaxSelect

search

Specifies the maximum number of search results that SPML Provider can return without page splitting. The default value is 1000.

pageSize

search

Specifies the maximum number of search results per page. The default value is 25.

NOTE: If pageSize is set to 0, SPML Provider returns search results without page splitting.

class

password

Contains the LDAP display name of the schema class of objects on which SPML Provider is expected to perform the Password Capability-related operations such as setPassword and expirePassword.

class

suspend

Contains the LDAP display name of the schema class of objects on which SPML Provider is expected to perform the Suspend Capability-related operations such as suspend, resume, and active.

suspendAction

suspend

Possible values: disable or deprovision. The default value is disable.

If suspendAction is set to disable, SPML Provider disables the specified user account on the target.

If suspendAction is set to deprovision, SPML Provider deprovisions the specified user account in accordance with the deprovisioning policies defined by Active Roles.

checkOutput

configuration

Possible values: true or false. The default value is false.

true causes SPML Provider to check the string attribute values retrieved from the underlying directory before adding them to a response. If an attribute value contains illegal characters that could break the XML parser on the client side, SPML Provider converts the attribute value to the base64binary format and then adds the result of the conversion to the response. Note that this option may result in performance degradation of SPML Provider as checking every attribute value is a resource-intensive operation.

false causes SPML Provider not to check the string attribute values retrieved from the underlying directory. An attribute value is added to the response without any conversion even if the value contains illegal characters.

NOTE: In accordance with the XML specification, the legal character range is as follows: #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]. With checkOutput set to true, SPML Provider ensures that attribute values in a response contain only characters from the legal character range.

Sample SPML Provider configuration file

The following is an example of the configuration file for SPML Provider configured to operate in proxy mode. If SPML Provider and the Active Roles Administration service are installed on the same computer, the default configuration settings look as follows:

<?xml version="1.0"?>
  <configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:quest:names:SPMLProvider">
    <service>localhost</service>
    <adsiProvider>EDMS</adsiProvider>
    <schemaFile>SPMLSchema.Config</schemaFile>
    <capabilities>
      <search>
        <defaultMaxSelect>1000</defaultMaxSelect>
        <pageSize>25</pageSize>
      </search>
      <password>
        <appliesTo>
          <class>user</class>
        </appliesTo>
      </password>
      <suspend>
        <appliesTo>
          <class>user</class>
        </appliesTo>
        <suspendAction>disable</suspendAction>
      </suspend>
    </capabilities>
    <checkOutput>false</checkOutput>
  </configuration>

Extending the SPML Provider schema

The SPML Provider schema defines the XML structure of the objects and attributes that SPML Provider manages. You can modify the schema to manage new types of objects or object properties. Thus, you can add the class and attribute definitions to the schema in order to meet the needs of your organization.

NOTE: In proxy mode, you can add only those object classes and attributes that are valid according to the Active Roles schema.

The SPML Provider schema is stored in the SPMLSchema.Config file. The SPMLSchema.Config file is located in the Web subfolder of the SPML Provider installation folder.

The schema format corresponds to the DSML Version 2 profile (DSMLv2). For detailed information on the DSML v2 profile, refer to the OASIS SPML v2 - DSML v2 Profile specification. The specification describes the use of the DSML protocol as a data model for SPML- based provisioning and can be accessed from the OASIS Web site at http://www.oasis-open.org/specs/index.php#spmlv2.0.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択