지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 8.1.5 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

SPML Provider samples of use

SPML Provider implements the SPML v2 core protocol and supports the DSML v2 Profile for SPML operations. SPML Provider comes with a sample client that includes examples illustrating how to construct SOAP messages that contain SPML payloads to perform common directory operations.

To work with the examples in the SPML Provider sample client

  1. From the Start menu on the computer on which SPML Provider is installed, select Active Roles SPML Provider to open the home page of the sample client in your web browser.

  2. On the Samples of Use home page, under How do I, click the example you want to examine.

    For instance, you might click Create new user to view, modify, and perform the SPML v2 request that creates a user object.

  3. On the page that opens, in the SPMLv2 request box, view the SOAP message that will be sent to SPML Provider.

    You may need to modify the SOAP message in order to adjust it to your environment. Thus, with the Create new user example, you have to set the ID attribute of the <ContainerID> element to the distinguished name (DN) of the container where you want to create a new user.

  4. To send the SOAP message to SPML Provider, click Send Request.

  5. In the SPMLv2 response box, view the SOAP message returned by SPML Provider in response to your request.

  6. To examine another example, return to the home page, then click the desired example.

SPML Provider configuration settings in the sample.config file

You can set SPML Provider configuration options in a sample client configuration file. This is useful to test the SPML Provider functionality before live deployment. Administrators can, for example, specify the desired settings for the sample container object (OU) that will be used in sample SPML v2 operations.

The configuration settings of the SPML Provider sample client can be found in the sample.config file located in the Samples sub-folder of the SPML Provider installation folder.

The sample.config file contains data in XML format. You can open and edit the configuration file with any common text editor, such as Notepad. The default configuration settings in the sample.config file look as follows:

<samples>
<server>localhost</server>
<url>ARServerSPML/spmlprovider.asmx</url>
<sampleContainerName>OU=MyOU,DC=Company,DC=com</sampleContainerName>
</samples>

The following table provides reference information for the XML elements used in the sample.config file.

Table 101: XML elements used in the sample.config. file

Element

Parent element

Description

server

samples

Specifies the name of the computer running SPML Provider.

url

samples

Specifies Web address of SPML Provider. The default address is ARServerSPML/spmlprovider.asmx.

sampleContainerName

samples

Specifies the distinguished name of the container (OU) used in the sample SPML v.2 requests.

Core SPML Provider operation samples

The following table lists all examples included in the SPML Provider core operation samples.

Table 102: Core operation samples

Operation

Description

List targets available for provisioning with SPML Provider

This example illustrates how to retrieve the targets available for provisioning with SPML Provider.

To do this, SPML Provider performs the listTargets operation.

The request message includes the following XML elements:

  • The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

  • The <listTargetsRequest> element asks SPML Provider to declare the set of targets that SPML Provider exposes for provisioning operations.

The response lists the supported targets, including the schema definitions for each target and the set of capabilities that SPML Provider supports for each target. The contents of the <listTargetsResponse> element conform to the OASIS SPML v2 specification.

Create new user

Create new user (using direct access mode)

These examples illustrate how to create a user account object in two operation modes.

To create a new object, SPML Provider performs the add operation.

The request message includes the following XML elements:

  • The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

  • The <addRequest> element asks SPML Provider to create a new object.

  • The <containerID> element specifies the distinguished name of the container in which to create the new object.

  • The <data> element encloses the elements that specify attribute values on the new object. Thus, in accordance with the objectClass attribute value, SPML Provider is requested to create a user account.

The operation response indicates whether the user account is successfully created.

NOTE: To provision a user account in direct access mode, perform the following steps:

  1. Create a request to create a new user account, as described above.

  2. Create a request to set the user password (see Set user password in Password capability samples.

  3. Create a request to enable the user account (see Resume user account in Suspend capability samples).

Create new user (approval aware)

This example illustrates how to create a user account if this operation is subject to approval by designated approvers. For more information about approval activities and workflows, see Workflows.

If the creation of user is subject to approval, to perform the operation, your SPML request must contain the AllowApproval built-in control. For information about how to use controls in SPML requests, see Active Roles controls supported by SPML Provider.

To create a new object, SPML Provider performs the add operation.

The request message includes the following XML elements:

  • The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

  • The <addRequest> element asks SPML Provider to create a new object.

  • The <controls> element includes the child element <control> that sets the AllowApproval control to the Confirm value.

  • The <controlsForOutput> element includes the child element <control>, which specifies that the OperationStatus control will be returned with the SPML response.

  • The <containerID> element specifies the distinguished name of the container in which to create the new object.

  • The <data> element encloses the elements that specify attribute values on the new object. Thus, in accordance with the objectClass attribute value, SPML Provider is requested to create a user account.

The operation response contains the OperationStatus control value that indicates the creation operation status. For example, if the user creation operation is subject to approval, the OperationStatus control returns the Pending value. In this case, the operation is waiting for approval by designated approvers. For more information about possible values of the OperationStatus control, see the Active Roles SDK documentation.

Create a user whose logon name is not in compliance with Active Roles policies

This example illustrates an attempt to create a new user account whose logon name does not conform to the Active Roles policies.

Because the user logon name does not conform to the Active Roles policies, the creation operation fails and the operation response includes an error message returned by Active Roles. For example, an attempt to set the sAMAccountName attribute to a string of more than 20 characters causes the user creation operation to fail, with the response containing a message that provides some details on the error condition.

Create new group

This example illustrates how to create the group object SPMLGroup in the mycompany.com domain.

To create a new object, SPML Provider performs the add operation.

The request message includes the following XML elements:

  • The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

  • The <addRequest> element asks SPML Provider to create a new object.

  • The <psoID> element specifies the distinguished name of the object to be created.

  • The <data> element encloses the elements that specify attribute values on the new object. Thus, in accordance with the objectClass attribute value, SPML Provider is requested to create a group object.

Modify user attributes

This example illustrates how to modify the description attribute of the John Smith user object in the mycompany.com domain.

To modify the object attribute, SPML Provider performs the modify operation.

The request message includes the following XML elements:

  • The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

  • The <modifyRequest> element asks SPML Provider to make changes to a specified object.

  • The <psoID> element specifies the distinguished name of the user account to be modified.

  • The <modification> element specifies the type of change as replace, causing the new values to replace the existing attribute values.

  • The <data> element encloses the elements that specify the new attribute values.

Modify Shared mailbox user permissions

Modify or replace the edsaUserMailboxSecurityDescriptorSddl attribute of the Shared mailbox object.

To modify the object attribute, SPML Provider performs the modify operation.

The request message includes the following XML elements:

  • The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

  • The <modifyRequest> element asks SPML Provider to make changes to a specified object.

  • The <psoID> element specifies the distinguished name of the user account to be modified.

  • The <modification> element specifies the type of change as replace, causing the new values to replace the existing attribute values.

  • The <data> element encloses the elements that specify the new attribute values, in SDDL format along with the SID of the user specified.

For an example, see Sample SPML Provider request to modify shared mailbox user permissions.

Add user to group

This example illustrates how to add the John Smith user account to the SPMLGroup group object in the mycompany.com domain.

To do this, SPML Provider performs the modify operation.

  • The request message includes the following XML elements:

  • The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

  • The <modifyRequest> element asks SPML Provider to make changes to a specified object.

  • The <psoID> element specifies the distinguished name of the group object to be modified.

  • The <modification> element specifies the type of change as add, causing the new values to be appended to the existing attribute values.

  • The <data> element encloses the elements that specify the distinguished name of the user account to be appended to the existing values of the member attribute.

Look up user attributes

This example illustrates how to get the XML representation of the John Smith user account in the mycompany.com domain.

To get the XML representation of an object, SPML Provider performs the lookup operation.

The request message includes the following XML elements:

  • The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

  • The <lookupRequest> element asks SPML Provider to return the XML document that represents a specified object.

  • The <psoID> element specifies the distinguished name of the object.

The response contains the object identifier, the XML representation of the object and its attributes, and information about SPML Provider capabilities that are supported on the object (the capability-specific data that is associated with the object).

Delete user

This example illustrates how to delete the John Smith user account.

To do this, SPML Provider performs the delete operation.

The request message includes the following XML elements:

  • The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

  • The <deleteRequest> element asks SPML Provider to delete a specified object.

  • The <psoID> element specifies the distinguished name of the user account to delete.

Delete group

This example illustrates how to delete the SPMLGroup group object in the mycompany.com domain.

To do this, SPML Provider performs the delete operation.

The request message includes the following XML elements:

  • The <soap:Envelope> and <soap:Body> SOAP elements enclose the SPML payload.

  • The <deleteRequest> element asks SPML Provider to delete a specified object.

  • The <psoID> element specifies the distinguished name of the group object to delete.

Sample SPML Provider request to modify shared mailbox user permissions

This section provides a sample request that shows how to use Active Roles controls in your SPML requests to modify shared mailbox user permissions.

<?xml version="1.0"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<spml:modifyRequest xmlns:spml="urn:oasis:names:tc:SPML:2:0">
<spml:psoID ID="CN=shmb1,OU=NOV_OU,DC=ars,DC=cork,DC=lab,DC=local"/>
<spml:modification>
<modification name="edsaUserMailboxSecurityDescriptorSddl" operation="replace" xmlns="urn:oasis:names:tc:DSML:2:0:core">
<value>O:PSG:PSD:AI(A;CI;RC;;;S-1-5-21-2064067869-2662360268-1970296196-3772)(A;CI;RC;;;S-1-5-21-2064067869-2662360268-1970296196-3773)
</value>
</modification>
</spml:modification>
</spml:modifyRequest>
</soap:Body>
</soap:Envelope>
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택