지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 7.4.1 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 License Management Office 365 Roles Management User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure_Overview
Config ARS to Manage Hybrid AD Objects Managing Hybrid AD Users Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Azure O365 or Unified Groups
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling delegation for Federated Authentication

Step 2: Applying the Policy Object

Step 2: Applying the Policy Object

You can apply the Policy Object without closing its Properties dialog box. Go to the Scope tab and do the following:

  1. On the Scope tab, click the Scope button to display the Active Roles Policy Scope window for the Policy Object you are managing.
  2. Click Add and select the domain, OU, or Managed Unit where you want to apply the policy.

    You can also use the Remove button to remove items where you want the policy to no longer be applied.

  1. Click OK to close the Active Roles Policy Scope window.
  2. Click OK to close the Properties dialog box for the Policy Object.

For more information on how to apply a Policy Object, see Applying Policy Objects and Managing policy scope earlier in this chapter.

User Logon Name Generation

Policies of this category are intended to automate the assignment of the pre-Windows 2000 user logon name when creating or modifying a user account, with flexible options to ensure uniqueness of the policy-generated name.

The ability to generate a unique name is essential. If Active Roles attempts to assign a policy-generated name when there is an existing user account with the same pre-Windows 2000 user logon name, a naming conflict will occur. Active Directory does not support multiple accounts with the same pre-Windows 2000 user logon name. A policy can be configured to generate a series of names in order to prevent naming conflicts with existing accounts.

When configuring a policy of this category, you can define multiple rules so that the policy applies them successively, attempting to generate a unique name in the event of a naming conflict. You can also configure a rule to include an incremental numeric value to ensure uniqueness of the policy-generated name. You also have the option to allow policy-generated names to be modified by operators who create or update user accounts.

How this policy works

When creating a user account, Active Roles relies on this policy to assign a certain pre-Windows 2000 user logon name to the user account. The policy generates the name based on properties of the user account being created. A policy may include one or more rules that construct the name value as a concatenation of entries that are similar to those you encounter when using a Property Generation and Validation policy.

A special entry—uniqueness number—is provided to help make the policy-generated name unique. A uniqueness number entry represents a numeric value the policy will increment in the event of a naming conflict. For example, a policy may provide the option to change the new name from JSmith to J1Smith if there is an existing user account with the pre-Windows 2000 user logon name set to JSmith. If the name J1Smith is also in use, the new name can be changed to J2Smith, and so on.

The policy configuration provides the option to allow or disallow manual edits of policy-generated names. Permission to modify a policy-generated name can be restricted to the case where the name is in use by another account.

Some specific features of the policy behavior are as follows:

  • With a single rule that does not use a uniqueness number, Active Roles simply attempts to assign the generated name to the user account. The operation may fail if the generated name is not unique, that is, the same pre-Windows 2000 user logon name is already assigned to a different user account. If the policy allows manual edits of policy-generated names, the name can be corrected by the operator who creates the user account.
  • With multiple rules or with a rule that uses a uniqueness number, Active Roles adds a button at the client side, next to the User logon name (pre-Windows 2000) field on the user creation and modification forms.
  • To generate a name, the client user (operator) must click that button, which also serves the situation where the generated name is in use. Clicking the Generate button applies a subsequent rule or increases the uniqueness number by one, thereby allowing the name to be made unique.
  • The policy defines a list of characters that are unacceptable in pre-Windows 2000 user logon names. The following characters are not allowed: " / \ [ ] : ; | = , + * ? < >
  • The policy causes Active Roles to deny processing of operation requests that assign the “empty” value to the pre-Windows 2000 user logon name.
  • When checking user accounts for policy compliance (see later in this document), Active Roles detects, and reports of, the pre-Windows 2000 user logon names that are set up not as prescribed by the user logon name generation policy.

How to configure a User Logon Name Generation policy

To configure a User Logon Name Generation policy, select User Logon Name Generation on the Policy to Configure page in the New Provisioning Policy Object wizard or in the Add Provisioning Policy wizard. Then, click Next to display the User Logon Name (pre-Windows 2000) Generation Rules page:

Figure 44: New Provisioning Policy Object wizard

On the User Logon Name (pre-Windows 2000) Generation Rules page, you can set up a list of generation rules. Each entry in the list includes the following information:

  • Priority  The policy applies generation rules in the order of their priority, as they stand in the list: first read, first applied.
  • Rule  Syntax that defines the rule.
  • Uniqueness Number  Displays Yes or No, indicating whether the rule includes a uniqueness number entry.

You can use these buttons manage the list of rules:

  • Add  Opens the Configure Value dialog box, discussed earlier in this chapter (see How to configure a Property Generation and Validation policy). Use that dialog box to configure a value for the ‘Logon Name (pre-Windows 2000)’ must be condition, in the same way as you do when configuring a Property Generation and Validation policy. For more information, see Configuring a logon name generation rule later in this section.
  • Remove  Deletes the rules you select from the list.
  • View/Edit  Opens the Configure Value dialog box for the rule you select from the list. Modify the selected rule by managing the list of entries in that dialog box.
  • Up and Down  Change the order of rules in the list. Click Up or Down to move a selected rule higher or lower in the list to give the rule a higher or lower priority, respectively.
  • Advanced  Set certain options that apply to all rules in the list, such as the maximum length of the generated name, whether to format the name as the uppercase or lowercase string, the scope where you want the generated name to be unique, and the characters to be excluded from the generated names.

By selecting the Allow manual edits of pre-Windows 2000 logon name check box, you authorize the operator who creates or updates the user account to make changes to the policy-generated name. If this check box is cleared, Active Roles displays the User logon name (pre-Windows 2000) field as read-only on the user creation and modification forms.

By selecting the Always option, you authorize the operator to modify the pre-Windows 2000 logon name at his or her discretion. With the option Only if a unique name cannot be generated by this policy, you limit manual changes to the situation where a unique name cannot be generated in accordance with the policy rules.

관련 문서