Active Roles 7.4.1 - Administration Guide

Step 4. Create Access Rule

Use the Active Roles console to create an Access Rule object with a conditional expression that evaluates to TRUE if the Department claim of the authorizing user evaluates exactly to the Department property of the target object:

1. In the console tree, expand the Configuration node, right-click the Access Rules container, and select New | Access Rule.
2. On the General page, type Department Admins in the Name field, and then click Next.
3. On the Conditions page, configure the conditional expression:
   1. Click the AND group item, and then click Insert condition.
   2. Click Configure condition to evaluate, and then click User claim.
   3. On the Select Claim Type page that appears, click Department in the list of claim types, and then click OK.
   4. Verify that the comparison operator reads equals (this is the default setting).
   5. Click Define value to compare to, and then click Target object property.
   6. On the Select Target Object Property page that appears, select the Department property, and then click OK.
4. Click Finish.

Step 5. Apply Access Rule

To apply the Access Rule you created in Step 4, you first need to delegate control by using an Access Template, and then attach the Access Rule to the Access Template link. Create a security group to hold your delegated administrators, and perform the following steps in the Active Roles console:

1. In the console tree, under the Active Directory node, right-click the name of your domain, and then click Delegate Control.
2. On the Active Roles Security page that appears, click Add to start the Delegation of Control wizard.
3. Follow the wizard pages:
   1. On the Users or Groups page, click Add, and select the security group that holds your delegated administrators. Click Next.
   2. On the Access Templates page, expand the Active Directory node, and select the OUs - Read All Properties and Users - Modify All Properties check boxes. Click Next.
   3. On the remaining pages, click Next to accept the default settings.
   4. On the completion page, click Finish.

   You will apply the Access Rule to the Users - Modify All Properties Access Template link. The OUs - Read All Properties Access Template enables the delegated administrators to browse the domain for user objects.

4. Click OK to close the Active Roles Security page. This will create the Access Template links.
5. Right-click the name of your Active Directory domain and click Active Roles Security to open the Active Roles Security page again.
6. On the Active Roles Security page, select the Users - Modify All Properties Access Template link and then click View/Edit.
7. On the Access Rule tab in dialog box that appears, click the Change button, select the Department Admins Access Rule, click OK to close the Select an Access Rule page, and then click OK to close the dialog box.
8. Click OK to close the Active Roles Security page.

After you have completed these steps, Active Roles allows a delegated administrator to make changes to only those user accounts that have the same department setting as the delegated administrator’s account.

Rule-based AutoProvisioning and Deprovisioning

• About Policy Objects
• Policy Object management tasks
• Policy configuration tasks
• Deployment considerations
• Checking for policy compliance
• Deprovisioning users or groups
• Restoring deprovisioned users or groups
• Container Deletion Prevention policy
• Picture management rules
• Policy extensions

About Policy Objects

Active Directory enables delegation of control with very fine granularity. However, the ability to restrict access may not be sufficient.

Many directory administration activities exhibit a predefined workflow. This workflow involves accomplishing a number of tasks in a particular sequence. Administrators and other personnel have to perform almost identical tasks repeatedly. Some examples are creating user accounts, resetting passwords, disabling inactive user accounts, and enforcing user naming conventions.

Active Roles provides a policy-based administration solution that meets the needs of modern enterprises. The administrative policy enforcement featured by Active Roles considerably reduces administrative workload, improves network security, and ensures consistency across the entire enterprise. Automating administrative workflow significantly reduces the amount of time to complete tasks and can eliminate certain tasks altogether. It also minimizes errors, reduces the need for rework, and combines related actions into a single batch.

Active Roles provides the facility to specify how, when, and what must change, whenever directory objects are created, modified, or deleted. Furthermore, it is possible to configure Active Roles to only accept data changes that conform to certain formatting requirements. This helps maintain control of the data stored in the directory.

For example, when creating a user account for a new employee, Active Roles can automatically retrieve information from a Human Resources database, use it as the default information in the user account properties, create a home folder and home share, and add the new account to the necessary groups. Moreover, it can create an Exchange mailbox and add the mailbox to the relevant distribution lists. This entire procedure equates to one task, but without Active Roles, it could be ten or more.

With the ability to enforce administrative policies and automate administrative workflow, Active Roles not only saves time, but also keeps network objects in a consistent state in relations to each defined policy. This addresses important security, usability, and integrity issues that are central to the management of network object data.

In Active Roles, administrative policies are defined by using Policy Objects—collections of policies. Policy Objects define the behavior of the system when directory objects are created, modified, or deleted.

You can create a Policy Object that includes any number of different policies, such as format validation, generation rules for the values of object attributes, scripts that supplement administrative operations, automatic creation of user mailboxes on prescribed Exchange servers, automatic creation of user home folders and home shares, and relocation of an object to a specified container when it meets certain criteria.

Active Roles provides extensive capabilities for automating administrative processes. Policy Objects can run customizable scripts before or after the execution of any specific task, and multiple tasks can be combined into one operation. This functionality significantly reduces the amount of time to complete administrative tasks, and minimizes errors.

Through the use of Policy Objects, Active Roles automates user provisioning tasks to reduce your administrative workload and get new users up and running faster. It automates reprovisioning and deprovisioning as well, so when a user’s access needs to be changed or removed, updates in Active Directory, Exchange, and Windows are made automatically, thereby reducing administrative workloads and making users more productive faster.

To help you configure and apply Policy Objects, they are broken into two categories:

• Provisioning Policy Objects  These are used to specify provisioning rules, including the population and validation of directory data, creation of resources such as home folders and mailboxes, and provision of access to resources.
• Deprovisioning Policy Objects  These are used to specify deprovisioning rules, including the removal of user and e-mail accounts, home folders, security and distribution lists, and application access upon requests to deprovision users or groups.

It is possible to create and apply any number of Policy Objects in each category.