Chat now with support
Chat with Support

Active Roles 7.2.1 - Administrator Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning Home Folder AutoProvisioning Script Execution User Account Deprovisioning Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Configuring replication Using AlwaysOn Availability Groups Using database mirroring Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
Using regular expressions Administrative Template Communication ports

Steps for modifying policies in a Policy Object

To view or modify a policy in a Policy Object

  1. In the console tree, under Configuration | Policies | Administration, locate and select the folder that contains the Policy Object you want to examine.
  2. In the details pane, right-click the Policy Object, and then click Properties.
  3. On the Policies tab, select the policy you want to view or modify, and click View/Edit.
  4. Use the tabs in the Policy Properties dialog box to view or modify policy settings.

The tabs in the Policy Properties dialog box provide the same options as the wizard for configuring the policy. See Policy configuration tasks for information about the options specific to each type of policy.

NOTE:

  • The Policies tab lists the policies that are configured in the Policy Object. You can use the Policies tab to add, modify, or delete policies from the Policy Object.
  • Active Roles processes policies in the order they are listed on the Policies tab. To change the order, select a policy and click or to move the policy up or down in the list.

Steps for removing policies from a Policy Object

To delete a policy from a Policy Object

  1. In the console tree, under Configuration | Policies | Administration, locate and select the folder that contains the Policy Object you want to modify.
  2. In the details pane, right-click the Policy Object, and then click Properties.
  3. On the Policies tab, select the policy you want to delete, click Remove, and then click Yes to confirm the deletion.

NOTE:

  • The Policies tab lists the policies that are configured in the Policy Object. You can use the Policies tab to add, modify, or delete policies from the Policy Object.
  • Once a Policy Object is applied within Active Roles to determine policy settings in the directory, any changes to the list of policies in the Policy Object causes the policy settings in the directory to change accordingly.

Applying Policy Objects

Implementing a policy to enforce business rules is a two-phase process of which configuring the policy within a Policy Object is only the first step. When you create a new policy, you select a policy type from the available options and then define the options that make up the policy. The second step is to use the Active Roles console to enforce the policy on the desired areas of the directory.

Active Roles allows policies to be enforced on any directory object—an administrative view (Managed Unit), a directory folder (container), or an individual (leaf) object. Policies are enforced by applying (linking) a Policy Object that holds the policies.

When you apply a Policy Object to a Managed Unit or directory folder, the policies control the objects in that Unit or folder as well as the Unit or folder itself. When you apply a Policy Object to a leaf object, such as a user or group, the policies only control that object. For example, applying a Policy Object to a group does not affect the members of the group.

The objects that are subject to a given Policy Object, that is, the objects under control of the policies defined in that Policy Object, are collectively referred to as policy scope. For example, if you apply a Policy Object to a Managed Unit, the policy scope is comprised of the objects within the Managed Unit.

Thus, the policy scope normally includes all objects that reside in a container or Managed Unit to which the Policy Object is applied. However, sometimes there is a need to exclude individual objects or sub-containers from the policy scope, thereby preventing certain objects from being affected by policies.

Active Roles gives you the option to selectively exclude objects or entire containers from the policy scope. You can block policy inheritance on individual objects or containers, refining the policy scope. The option to block policy inheritance is discussed later in this section (see Managing policy scope later in this chapter).

To apply a Policy Object, you can start from any of the following points:

  • Policy Object  Add Managed Units or containers to the policy scope of the Policy Object.
  • Directory object  Add the Policy Object to the policy list for the directory object.

The following two sections elaborate on each of these options.

Adding Managed Units or containers to policy scope

You can add administrative views (Managed Units) and directory folders (containers) to the policy scope of a given Policy Object in these ways:

  • Right-click the Policy Object and click Policy Scope. Then, in the Active Roles Policy Scope window, click the Add button.
  • Ensure that Advanced Details Pane is checked on the View menu. Then, select the Policy Object. On the Active Roles Policy Scope tab in the details pane, right-click a blank area and click Add.

In both cases, clicking Add displays the Select Objects window where you can select containers and Managed Units. To build a list of containers from which to select, click the Browse button and select Active Directory or a container in the hierarchy under Active Directory. The list looks similar to the following figure:

Figure 26: Policy objects

To build a list of Managed Units from which to select, click the Browse button and select Managed Units or a container in the hierarchy under Managed Units. The list looks similar to the following figure:

Figure 27: Managed units

In the Select Objects window, select containers or Managed Units from the list and click the Add button to build the resultant list of items. When finished, click OK.

Related Documents