This document provides a detailed description of Active Roles and its major features available in Active Roles 8.1.5.
The document describes each feature in a separate section containing the following information:
-
Feature name: The name of the feature, indicated in the section title.
-
Description: A detailed description of the feature.
-
Getting started: Information on how to start using the feature. In most cases, this includes references to other Active Roles documents, such as the Administration Guide or the available User Guides, depending on the target users of the feature.
NOTE: Consider the following regarding the Getting started information:
-
Unless indicated otherwise, using the described Active Roles features requires an Active Roles Admin account. By default, an Active Roles Admin is any member of the Administrators local group on the computer running the Active Roles Administration Service.
-
When attempting to use features of the Active Roles Console, make sure that the Console interface is set to "Advanced view mode". To do so, in the View menu, click Mode > Advanced Mode.
Active Roles delivers a reliable, policy-based administration and provisioning solution, allowing enterprises to fully benefit from Active Directory and Microsoft Exchange deployment.
One of the most valuable features of the product is the ability to automate provisioning tasks on directory objects in compliance with corporate administrative policies in corporate Active Directory and Exchange environments.
Active Roles provides consistent enforcement of corporate policies, a role-based administrative model, and flexible, rule-based administrative views, creating a reliable and secure environment for distributed administration and account provisioning.
NOTE: For information on the Active Roles features, see the latest Active Roles Release Notes.
Active Roles provides out-of-the-box user and group account management, strictly enforced administrator-based role security, day-to-day identity administration and built-in auditing and reporting for Active Directory and Azure Active Directory (AD) environments. The following features and capabilities make Active Roles a practical solution for secure management of objects in AD and AD-joined systems:
-
Secure access: Acts as a virtual firewall around AD, enabling you to control access through delegation using a least privilege model. Based on defined administrative policies and associated permissions generates and strictly enforces access rules, eliminating the errors and inconsistencies common with native approaches to AD management. Plus, robust and personalized approval procedures establish an IT process and oversight consistent with business requirements, with responsibility chains that complement the automated management of directory data.
-
Automate object creation: Automates a wide variety of tasks, including:
-
Creating user, groups, and contacts in AD and Azure AD.
-
Creating mailboxes on Exchange Server and assigning licenses in Microsoft 365.
-
Managing on-premises Exchange and Exchange Online properties.
Active Roles also automates the process of reassigning and removing user access rights in AD and AD-joined systems (including user and group deprovisioning) to ensure an efficient and secure administrative process over the user and group lifetimes. When user accesses must be changed or removed, updates are made automatically in Active Directory, Azure AD, Exchange, Exchange Online, SharePoint, Skype for Business, and Windows, as well as any AD-joined systems such as Unix, Linux, and Mac OS X.
-
Day-to-day directory management: Simplifies management of:
-
Exchange recipients, including mailbox assignment, creation, movement, deletion, permissions, and distribution list management.
-
Groups
-
IT resources, including computers, shared folders, printers, local users and groups.
-
AD, Azure AD, Exchange Online and AD LDS resources.
Active Roles also includes intuitive interfaces for improving day-to-day administration and help desk operations via an MMC snap-in known as the Active Roles Console and a Web Interface.
-
Manage users, groups, and contacts in a hosted environment: Provides to operate in hosted environments where accounts from client AD domains are synchronized with host domains. Active Roles enables user, group, and contact management from the client domain to the hosted domain, while also synchronizing attributes and passwords.
-
Consolidate management points through integration: Complements your existing technology and identity and access management strategy. Simplifies and consolidates management points by ensuring easy integration with many One Identity products and Quest products, including One Identity Manager, Safeguard Authentication Services, Defender, ChangeAuditor, and GPO Admin. Active Roles also automates and extends the capabilities of PowerShell, ADSI Provider, and the customizable Web Interface.
Active Roles divides the workload of directory administration and provisioning into three functional layers—presentation components, service components, and network data sources.
Figure 1: Active Roles Components
The presentation components include client interfaces for the Windows platform and the web, which allow regular users to perform a precisely defined set of administrative activities. The reporting solution facilitates automated generation of reports on management activities.
The service components constitute a secure layer between administrators and managed data sources. This layer ensures consistent policy enforcement, provides advanced automation capabilities, and enables the integration of business processes for administration of Active Directory, Microsoft Exchange, and other corporate data sources.
The Administration Database stores information about all permission and policy settings, and other data related to the Active Roles configuration.
On a very high level, the Active Roles components work together as follows to manipulate directory data:
-
An administrator uses the Active Roles Console or Web Interface to access Active Roles.
-
The administrator submits an operation request, such as a query or data change to the Administration Service.
-
On receipt of the operation request, the Administration Service checks whether the administrator has sufficient permissions to perform the requested operation (access check).
-
The Administration Service ensures that the requested operation does not violate the corporate policies (policy enforcement).
-
The Administration Service performs all actions required by the corporate policies, before committing the request (policy enforcement).
-
The Administration Service issues operating system function calls to perform the requested operation on network data sources.
-
The Administration Service performs all related actions required by the corporate policies, after the request is processed by the operating system (policy enforcement).
-
The Administration Service generates an audit trail that includes records about all operations performed or attempted with Active Roles. Directory-change tracking reports are based on the audit trail.