지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles On Demand Hosted - Quick Start Guide

Configuring the Active Roles Collector and Report Pack

If you have optionally installed the Active Roles Collector and Report Pack as described in Installing the Active Roles Collector and Report Pack, you must configure it to use its data collection and reporting features.

To configure the Active Roles Collector and Report Pack

  1. From the Windows Start Menu, launch One Identity Active Roles 7.5.3 > Active Roles 7.5.3 Collector and Report Pack.

  2. In the Select Task step, select Collect data from the network and click Next.

  3. In the Configure Connection step, to specify a new data collection database, click Specify next to the Database field.

  4. In the Specify Database step, select Create Database and configure the following settings.

    • Database Type: Select Azure SQL Database.

    • SQL Server: Enter the name of the Azure SQL server provided by One Identity.

    • Database: Enter ActiveRoles_Collector.

    • Connect using: Select SQL Server authentication and enter the Azure SQL login credentials provided by One Identity to the Login and Password fields.

    To continue configuration, click OK. The database will be created in the Azure SQL instance of your Active Roles SaaS tenant. When the database is created, the Database field of the Configure Connection step will be automatically populated.

  5. In the Configure Connection step, specify the Active Roles Service server name in the Active Roles Service field, then select Log on as > Specified user and provide the login details of the Active Roles Reporting domain service account credentials created as a prerequisite for Installing the Active Roles Collector and Report Pack.

  6. In the Data Collection Tasks step, select Active Directory and Policy Compliance Information as the type of data that the Active Roles Collector and Report Pack will collect.

    TIP: You can also select Active Roles event log to collect application event logs with the Active Roles Collector and Report Pack. However, One Identity recommends to use a dedicated Log Management or SIEM solution to gather and archive event logs.

  7. In the Data to Collect step, select all categories except Access Templates, and click Next.

    NOTE: Selecting all check boxes (including Access Templates) in this step will result in a data collection error as described in Knowledge Base Article 230239 in the One Identity Support Portal.

    This error occurs when configuring either an immediate or a scheduled data collection operation (configured with the Now and On a schedule settings of the Select Operation Mode step, respectively). When running an immediate data collection operation, this error is visible on the user interface. When performing a scheduled run, the error is logged only in the collector log file at the following location:

    C:\ProgramData\One Identity\Active Roles\Logs\Collector\Collector-Active Roles Collector (<task-name>)-<timestamp>.log

  8. In the Select Domains or OUs step, to specify a new domain with the Browse for Container dialog, click Add.

  9. In the Browse for Container dialog, select the domain to use and click OK.

    NOTE: If the domain to select is missing in this dialog, check the following:

    The selected domain will appear in the Select Domains or OUs step.

  10. In the Select Operation Mode step, under Run Active Roles Collector, select On a schedule and name the mode (for example: Daily Collection).

  11. In the Schedule step, to specify a new data collection schedule, click Add.

  12. In the Configure Schedule dialog, configure the schedule with the available settings and click OK.

    TIP: One Identity recommends configuring a daily schedule that runs data collection in off-peak hours to minimize potential performance issues.

  13. When the schedule is configured, it must appear in the Schedule step.

    Under User account under which the task will run, specify the Active Roles Reporting domain service account credentials.

  14. To close the Active Roles Collector and Report Pack setup, click Finish.

    NOTE: The log file of the configured logging operation is stored at the following location by default:

    C:\ProgramData\One Identity\Active Roles\Logs\Collector\Collector-<date>-<time>.log

    The ProgramData folder of the operating system is hidden by default.

  15. Confirm that the configured collection task is listed in the Windows Task Scheduler. Right-click the Windows Start Menu, and navigate to Computer Management > System Tools > Task Scheduler > Task Scheduler Library. In this example, the task is named Active Roles Collector (Daily Collection).

  16. To perform the first data collection run, right-click the Active Roles Collector (Daily Collection) task and select Run.

  17. When the task completed successfully, configure Active Roles Collector and Report Pack so that it deploys reports to a report server. Open Active Roles Collector and Report Pack again, and in the Select Task step, select Deploy reports to Report Server.

  18. In the Report Server step, specify the Report Server Web Service URL.

    TIP: By default, Active Roles Collector and Report Pack may populate the Report Server Web Service URL field with an https:// scheme. Using this scheme if you do not have a valid certificate and SSL enabled for SQL Server Reporting Services will result in a Verification Failed error when Active Roles Collector and Report Pack attempts accessing the Report Web Server service.

    To avoid this error, change https:// to http:// in the URL in such cases.

  19. In the Data Source step, click Configure Data Source.

  20. In the Configure Data Source dialog, configure the following settings:

    • Database Type: Select Azure SQL Database.

    • SQL Server: Enter the name of the Azure SQL server provided by One Identity.

    • Database: Enter ActiveRoles_Collector.

    • Connect using: Select SQL Server authentication and enter the Azure SQL login credentials provided by One Identity to the Login and Password fields.

    When ready, click OK to return to the Data Source step. The Database field will display the configured data source.

  21. Active Roles Collector and Report Pack will then start publishing the report definitions. Use the progress bar to check the publish status. When the process is completed:

    • To close the Active Roles Collector and Report Pack, click Finish.

    • To check the log of the procedure, click View log.

    NOTE: The log file of the configured logging operation is stored at the following location by default:

    C:\ProgramData\One Identity\Active Roles\Logs\Collector\Collector-<date>-<time>.log

    The ProgramData folder of the operating system is hidden by default.

  22. To validate whether Active Roles is present in the domain and that reporting works as configured, open the SQL Reporting Services web portal with the /Reports path of your Active Roles server (http://<FQDN-of-server>/Reports). Navigate to Active Roles > 7.5.3 > Active Directory Assessment > Domains > Domain Summary, and verify that the page is populated with data reports.

    NOTE: Starting from Active Roles 7.4.4, Internet Explorer is no longer supported by the Active Roles Web Interface. Therefore, One Identity recommends using one of the following supported browsers when using any web-based Active Roles 7.5.3 interfaces:

    • Mozilla Firefox 36 (or newer)

    • Google Chrome 61 (or newer)

    • Microsoft Edge 79 (or newer), based on Chromium

  23. To open the settings of the SQL Reporting Services web portal, click > Site Settings at the top right corner of the page.

  24. To assign administrator privileges to the Active Roles administrators (configured in First-time configuration of Active Roles On Demand) for the configured Active Roles report, navigate to Security > Add group or user.

  25. In the Group or user field, enter the name of the Active Roles Administrators AD group (for example, ARAdmins). Under Role, select the System Administrator role. To close the dialog, click OK.

  26. In the SQL Reporting Services web portal, confirm that the configured administrator group is now listed as System Administrator.

TIP: Even if the Configure Data Source > Database type option of the Active Roles Collector and Report Pack is set to Azure SQL Database, the SQL Reporting Services portal will identify it as Microsoft SQL Server.

This has no impact on the data collection operation, but you can still change the server type designation with the following steps:

  1. On the SQL Reporting Services web interface, navigate to Active Roles > Shared Data Sources > Manage Active Roles 7.5.3 Report Data > Properties.

  2. Under Connection, change the Type from Microsoft SQL Server to Microsoft Azure SQL Database.

Adding the Reporting Link to the Active Roles Console

When the Active Roles Collector and Report Pack is installed and configured, add the reporting link to the Active Roles Console (also known as the MMC Interface).

To add the reporting link to the Active Roles Console

  1. On a workstation where the Active Roles Console is installed, launch the Console from the Windows Start Menu by navigating to One Identity Active Roles 7.5.3 > Active Roles 7.5.3 Console.

  2. In the left pane of the Active Roles Console, navigate to Applications > Reporting, and click To view reports, specify report manager address.

  3. In the Report Manager Address dialog, enter the URL of the Active Roles Reports resource:

    http://<activeroles-server-name>.<domain-name>.com/Reports/browse/Active%20Roles/7.5.3

  4. To apply your changes, click OK.

The Applications > Reporting > View Reports button becomes enabled, allowing you to access the Active Roles reports from the Active Roles Console.

Installing Active Roles Synchronization Service

Optionally, you can install the Active Roles Synchronization Service component to automate identity data synchronization between the data systems used in your organization.

NOTE: If you plan to manage Azure AD or Office 365 operations in your environment, you must install the Active Roles Synchronization Service component.

Prerequisites

Before installing Active Roles Synchronization Service, make sure that the following hardware and software resources are available:

  • An installed, configured and functional on-premises SQL server.

  • An on-premises server to host Active Roles Synchronization Service. This can be the same server that hosts the on-premises Active Roles Reporting components (described in Installing the Active Roles Collector and Report Pack).

  • The following PowerShell modules are available:

    • Exchange Online PowerShell v2 module x64

      NOTE: Use version v2.0.3 of the module.

      To install the module, enter the following command:

      Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3

    • Azure AD Module

      To install the module, enter the following command:

      Install-Module -Name AzureAD

  • .NET Framework 4.7.2 or newer.

  • A domain service account with the required permissions. For more information, see Active Roles KB Article 71413 on the One Identity Support Portal.

To install Active Roles Synchronization Service

  1. On the on-premises server that will host the Active Roles Synchronization Service component, navigate to and launch the Synchronization Service installer package. The file is available at the following location of the extracted Active Roles installer (when using the .zip file) or the mounted .iso image:

    \Components\ActiveRoles Synchronization Service\SyncService.msi

    NOTE: The installation will progress without interaction, and will complete without a completion prompt.

  2. To launch the Synchronization Service Configuration Wizard, in the Windows Start Menu, click Active Roles 7.5.3 Synchronization Service.

  3. In the Service Account and Mode step of the Configuration Wizard, configure the following settings:

    • Synchronization Service account: Enter the domain service account credentials to use the Synchronization Service component (for example, ActiveRoles\ar-syncservice).

    • Synchronization Service mode: Select Local.

  4. In the Instance Configuration step, select Create a new configuration and click Next.

  5. In the Database Connection step, configure the following settings:

    • SQL Server: Enter the name of the on-premises Azure SQL server.

    • Database: Enter ActiveRoles_SyncSvcCfg as the database name.

      NOTE: Make sure that you enter the database name exactly as specified above.

  6. Select Store sync data in separate database, and under Synchronization database, enter ActiveRoles_SyncSvcCfg.

    NOTE: Make sure that you enter the database name exactly as specified above.

  7. Select the authentication method (Use Windows authentication or Use SQL Server authentication) preferred to access the on-premises Azure SQL server.

  8. (Optional) In the Configuration File step, set up a password-protected backup of the configuration.

    To specify the location of the configuration file, click Browse. To configure password-protection for the backup, check Protect the file with the following password and enter the password for the file. To complete the configuration, click Finish.

    NOTE: Keep a copy of this file and password in a secure location for future use.

Active Roles then starts the configuration of Synchronization Service. Upon successful completion, the Synchronization Service component will open and will be ready to use.

TIP: For more information about configuring Active Roles Synchronization Service for specific connectors, such as Azure AD or Microsoft 365, see the Active Roles Synchronization Service Administration Guide.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택