지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 8.2.1 - Administration Guide for Active Roles Integration

One Identity Active Roles integration Synchronizing Active Directory using One Identity Active Roles Interaction with Active Roles workflows Interaction with Active Roles policies Managing Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for One Identity Active Roles Active Roles connector settings

Managing Active Directory objects

You can set up organizational units in a hierarchical container structure in One Identity Manager. Organizational units (divisions or departments) are used to logically organize Active Directory objects like user accounts and groups, thus simplifying administration.

NOTE: In the following, you are provided with details about the special features of managing Active Directory objects using Active Roles. For more information about managing Active Directory with One Identity Manager, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Detailed information about this topic

Adding Active Directory groups automatically to the IT Shop

In the One Identity Manager Active Directory Edition there is direct support for transferring Active Roles Self-Service Manager functionality to the One Identity Manager IT Shop.

If you are using the One Identity Manager Edition, run the following steps before initial synchronization.

To add groups automatically to the IT Shop

  1. In the Designer, set the QER | ITShop | AutoPublish | ADSGroup configuration parameter.

  2. In the Designer, set the QER | ITShop | AutoPublish | ADSGroup | ExcludeList configuration parameter and specify the Active Directory groups that are not to be added automatically to the IT Shop.

    Example:

    .*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

  3. In the Designer, set the TargetSystem | ADS | ARS_SSM configuration parameter

  4. (Optional) In the Designer, set the QER | ITShop | AutoPublish | ADSGroup | AutoFillDisplayName configuration parameter.

    If the configuration parameter is set, a display name is be created for Active Directory groups if no display name exists yet. The display name of necessary to display the group in the Web Portal, for example. An Active Directory domain managed through Active Roles has its display name formatted only for groups that are published in Active Roles Self-Service Manager.

  5. Compile the database.

The system entitlements are added automatically to the IT Shop from now on.

The following steps are run to add a group to the IT Shop.

  1. A service item is determined for the system entitlement.

    The service item is tested for each system entitlement and modified if required. The name of the service item corresponds to the name of the system entitlement.

    • The service item is modified if the system entitlement has a service item.

    • System entitlements without a service item are allocated a new service item.

    • The service item is enabled or disabled depending on whether the system entitlement is published in Active Roles Self-Service Manager.

  2. The service item is assigned to one of the default service categories.

  3. An application role for product owners is determined and the service item is assigned.

    Product owners can approve requests for membership in these system entitlements. By default, the account manager of a system entitlement is determined as the product owner.

    NOTE: The application role for the product owner must be added under the Request & Fulfillment | IT Shop | Product owner application role.
    • If the account manager of the system entitlement is already a member of an application role for product owners, this application role is assigned to the service item. Therefore, all members of this application role become product owners of the system entitlement.

    • If the account manager of the system entitlement is not yet a member of an application role for product owners, a new application role is created. The name of the application role corresponds to the name of the account manager.

      • If the account manager is a user account or a contact, the user account's employee or the contact's employee is added to the application role.

      • If it is a group of account managers, the employees of all this group's user accounts are added to the application role.

    • If the system entitlement does not have an account manager, the Request & Fulfillment | IT Shop | Product owner | Without owner in AD default application role is used.

  4. The system entitlement is labeled with the IT Shop option and assigned to the Active Directory groups IT Shop shelf in the Identity & Access Lifecycle shop.

Subsequently, the shop's customers can request memberships in system entitlement through the Web Portal.

NOTE: When a system entitlement is irrevocably deleted from the One Identity Manager database, the associated service item is also deleted.

Related topics

Requesting Active Directory groups through the Web Portal

NOTE: If you request group membership, Approval of Active Directory group membership requests in the default installation.

To request a new Active Directory group

  • In the Web Portal, in the Service catalog > Requests menu, select the service category Active Directory groups.

  • Request the Active Directory group using the New Active Directory distribution list or the New Active Directory security group product.

The following steps are automatically run when you request a new Active Directory groups:

  • An entry is created for the Active Directory group in One Identity Manager.

  • The Active Directory group is labeled with the Group is published to Self-Service Manager option.

  • The Active Directory group is labeled with the IT Shop option.

  • The associated service item is created. A new application role is set up with the requester as member. The application role is entered as product owner in the service item.

    Through this procedure, the Active Directory group requester has approval permissions for requesting memberships in this Active Directory group.

  • The Active Directory group is assigned to the shelf Active Directory groups in the Identity & Access Lifecycle default shop.

Active Directory group membership can then be requested by customers of this shop through the Web Portal.

NOTE: If an Active Directory group is permanently deleted from the One Identity Manager database, the associated service item is also deleted.

Related topics

Active Roles specific extensions for Active Directory groups

Additional Active Directory group main data is mapped for Active Roles. For more information about managing Active Directory groups in One Identity Manager, see the One Identity Manager Administration Guide for Connecting to Active Directory.

To display Active Roles group data ascertained from Active Directory

  1. In the Manager, select the Active Directory > Groups category.

  2. Select the group in the result list.

  3. Select the Change main data task.

  4. Select the Active Roles tab.

The following properties are displayed:

Table 8: Active Roles specific properties of an Active Directory group
Property Description

Group is published to Self-Service Manager

If an Active Directory group is published, the Active Directory group can be requested in the Web Portal immediately after successful synchronization. The data is loaded from Active Roles on synchronization. This information is published when an Active Directory group is added through the Web Portal in order to start other workflows in Active Roles if necessary.

Approval by the group owner

Specifies whether the Active Directory group owner (account manager) must approve group membership. The information affects the approval workflow in the IT Shop.

Approval by a additional owner of the group

Specifies whether the additional Active Directory group owner must approve group membership. The information affects the approval workflow in the IT Shop.

Dynamic group

Specifies whether members in this group are determined dynamically in Active Roles. Manual changes to memberships are not permitted.

Controlled group

Specifies whether the group is controlled by Active Roles. The group belongs to a Group Family in Active Roles. Memberships are regulated by the target system. Manual changes to memberships are not permitted.

Group Family

Specifies whether this group represents a Group Family in Active Roles. Group Family automatically creates groups and manages memberships in accordance with configurable rules in Active Roles. Manual changes to memberships are not permitted.

Additional owners

List of additional owners Active Directory groups or Active Directory user accounts are permitted.

Deprovisioning status

Status of deprovisioning sequence through Active Roles when an object is deleted. The data is loaded from Active Roles on synchronization.

  • No deprovisioning: The Active Directory object is active.

  • Deprovisioning successful: The Active Directory object was successfully deprovisioned.

  • Deprovisioning failed: An error occurred while deprovisioning the Active Directory object.

Deprovisioning date

Status of deprovisioning sequence through an Active Roles when a object is deleted. The information is loaded from the Active Roles during synchronization.

Related topics
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택