Chat now with support
Chat with Support

Active Roles 7.2.1 - Administrator Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning Home Folder AutoProvisioning Script Execution User Account Deprovisioning Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Configuring replication Using AlwaysOn Availability Groups Using database mirroring Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
Using regular expressions Administrative Template Communication ports

Entry type: Mask

Entry type: Mask

When you select Mask under Entry type in the Add Entry window, the Entry properties area looks similar to the following figure.

Figure 39: Add Entry: Mask

With this entry type, you can define which characters (letters, numerals) are acceptable in the entry you add to the value of the controlled property.

If you want to allow the entry to include any series of characters, click Any characters or no characters.

If you want to specify a maximum number of allowed characters the entry may include, click At most the specified number of characters. In the Number of characters box, specify the number of allowed characters. The entry may include any number of characters not exceeding the specified number. Under Allowed characters, select check boxes to specify the allowed characters.

If you want to specify an exact number of allowed characters that the entry must include, click Exactly the specified number of characters. In the Number of characters box, specify the number of allowed characters. The entry must include exactly the specified number of characters. Under Allowed characters, select check boxes to specify the allowed characters.

When you are done configuring an entry, click OK to close the Add Entry window. The entry is added to the Configure Value dialog box.

Steps for configuring a Property Generation and Validation policy

Rule-based AutoProvisioning and Deprovisioning > Policy configuration tasks > Property Generation and Validation > Steps for configuring a Property Generation and Validation policy

To configure a Property Generation and Validation policy

  1. On the Policy to Configure page, select Property Generation and Validation, and then click Next.
  2. Click Select to select the object type and object property you want the policy to control.
  3. Complete the Select Object Type and Property dialog box by using the procedure outlined later in this topic, and then click Next.
  4. On the Configure Policy Rule page, do the following, and then click Next:
    • Select the appropriate check boxes to configure the rule.
    • In the bottom area, click the click to add value link, and complete the Add Value dialog box by using the procedure outlined later in this topic.
    • To switch between AND and OR, click and or or.
  5. On the Policy Description page, you can modify the policy description:
    • Select Modify this policy description, and make changes to the policy description as needed. Then, click Next.
  6. On the Enforce Policy page, you can specify objects to which this Policy Object is to be applied:
    • Click Add, and use the Select Objects dialog box to locate and select the objects you want.
  7. Click Next, and then click Finish.

To complete the Select Object Type and Property dialog box

  1. From Object type, select the object type you want the policy to affect.
  2. From Object property, select the object property you want the policy to control.
  3. If you do not see the property you want, select Show all possible properties.
  4. Click OK.

To complete the Add Value dialog box

  1. Type in a value, and click OK.

OR

Click Configure and follow the steps below.

  1. Click Add.
  2. Configure an entry to include in the value (for instructions, see Steps for configuring entries).
  3. In the Configure Value dialog box, add more entries, delete or edit existing ones, and then click OK.
  4. In the Add Value dialog box, select the Default value check box if you want to mark the value as default, and click OK.

Steps for configuring entries

Use the following step-by-step instructions to configure an entry in the Add Entry dialog box. The same instructions apply when you are making changes to an existing entry.

To configure a Text entry

  1. Under Entry type, click Text.

Use a Text entry to add a text string to the value you are configuring.

  1. In Text value, type the text string you want the value to include.
  2. Click OK.

To configure an <Object> Property entry

  1. Under Entry type, click <Object> Property.

    Use an <Object> Property entry when configuring a value to include a certain property (or a part of a property) of the object that is under the control of the policy. In these instructions, <Object> stands for the type of object, such as User, Group, or Computer.

  1. Click Select, click the property to include in the value, and then click OK.
  2. If you want the entry to include the entire value of the property, click All characters of the property value. Otherwise, click The first, and specify the number of characters to include in the entry.
  3. If you selected The first, then, optionally, select If value is shorter, add filling characters at the end of value, and type a character in Filling character.

    This character will fill the missing characters in the value of the property if the value is shorter than specified in the box next to The first.

  1. Click OK.

To configure a Parent OU Property entry

  1. Under Entry type, click Parent OU Property.

    Use a Parent OU Property entry when configuring a value to include a certain property (or a part of a property) of an organizational unit (OU) in the hierarchy of containers above the object being managed by the policy.

  1. Click Select, click the property to include in the value, and then click OK.
  2. If you want the entry to include the entire value of the property, click All characters of the property value. Otherwise, click The first, and specify the number of characters to include in the entry.
  3. If you selected The first, then, optionally, select If value is shorter, add filling characters at the end of value, and type a character in Filling character.

    This character will fill the missing characters in the value of the property if the value is shorter than specified in the box next to The first.

  1. Choose one of these options:
    • To use the property of the OU in which the object resides, click Immediate parent OU of the object being managed by this policy.
    • To use the property of a parent OU of a different level, click More distant parent OU and then, in Level, specify the level of the OU.

    Lower level means greater distance from the managed object in the hierarchy of containers above that object. OU level 1 is an immediate child OU of the domain.

  1. Click OK.

To configure a Parent Domain Property entry

  1. Under Entry type, click Parent Domain Property.

Use a Parent Domain Property entry when configuring a value to include a certain property (or a part of a property) of the domain of the object being managed by the policy.

  1. Click Select, click the property to include in the value, and then click OK.
  2. If you want the entry to include the entire value of the property, click All characters of the property value. Otherwise, click The first, and specify the number of characters to include in the entry.
  3. If you selected The first, then, optionally, select If value is shorter, add filling characters at the end of value, and type a character in Filling character.

This character will fill the missing characters in the value of the property if the value is shorter than specified in the box next to The first.

  1. Click OK.

To configure a Mask entry

  1. Under Entry type, click Mask.

    Use a Mask entry when configuring a value to include a syntax that determines how many and what characters are allowed in the property controlled by the policy.

  1. Select one of these options:
    • Any characters or no characters to allow the entry to include any series of characters.
    • At most the specified number of characters to specify a maximum number of allowed characters the entry may include.
    • Exactly the specified number of characters to specify an exact number of allowed characters that the entry must include.
  2. If you selected the second option or the third option in Step 2, do the following:
    • In Number of characters, specify the how many characters are allowed in this entry.

    If you selected the second option, the entry may include any number of characters not exceeding the number specified.

    If you selected the third option, the entry must include exactly the specified number of characters.

    • Under Allowed characters, select check boxes to specify what characters are allowed in this entry.

  1. Click OK.

To configure a Date and Time entry

  1. Under Entry type, click Date and Time.

    Use a Date and Time entry when configuring a value to include the date and time of the operation performed by the policy (for example, the date and time when the user was deprovisioned).

  1. In the list under Date and time format, click the date or time format you want.
  2. Click OK.

To configure an Initiator ID entry

  1. Under Entry type, click Initiator ID.

    Use an Initiator ID entry when configuring a value to include the ID of the Initiator, that is, the user who initiated the operation performed by the policy (for example, the ID of the user who initiated the deprovisioning operation). You can build the Initiator ID based on a combination of properties of the Initiator.

  1. Select one of these options:
    • User logon name (pre-Windows 2000) of the Initiator, in the form Domain\Name to set the Initiator ID to the pre-Windows 2000 user logon name of the Initiator.
    • User logon name of Initiator to set the Initiator ID to the user logon name of the Initiator.
    • Initiator ID built using a custom rule to compose the Initiator ID of other properties specific to the Initiator.
  2. If you selected the third option in Step 2, click Configure, and use the Configure Value dialog box to set up the value to be used as the Initiator ID: Click Add and specify the entries for the value as appropriate.

    You can configure entries of these categories: Text (any text string), Initiator Property (a certain property of the Initiator user object), Parent OU Property (a certain property of an organizational unit that holds the Initiator user object), Parent Domain Property (a certain property of the domain of the Initiator user object). To configure entries, use the instructions that are given earlier in this topic.

  1. Click OK.

To configure a Uniqueness Number entry

  1. Under Entry type, click Uniqueness Number.

    Use a Uniqueness Number entry when configuring a value to include a number the policy will increment in the event of a naming conflict. For example, in a policy that generates a user logon name or e-mail alias, you can add an entry of this category to the generation rule in order to ensure the uniqueness of the name or alias generated by the policy.

  1. Click one of these options:
    • Add always  The value includes this entry regardless of whether or not the policy encounters a naming conflict when applying the generation rule
    • Add if the property value is in use  The policy adds this entry to the value in the event of a naming conflict; otherwise the value does not include this entry.
  2. Specify how you want the entry to be formatted:
    • To have the entry formatted as a variable-length string of digits, clear the Fixed-length number, with leading zeroes check box. In most cases, this will result in a single-digit entry.
    • To have the entry formatted as a fixed-length string of digits, select the Fixed-length number, with leading zeroes check box, and then specify the number of digits you want the string to include. This will result in an entry prefixed with the appropriate number of zeroes, such as 001, 002, 003, etc.
  3. Click OK.

NOTE:

Scenario 1: Using mask to control phone number format

This scenario describes how to configure a policy that forces the user phone number to conform to the format (###) ###-##-##.

To implement this scenario, you must perform the following actions:

  1. Create and configure a Policy Object that defines the appropriate policy.
  2. Apply the Policy Object to a domain, OU, or Managed Unit.

As a result, when creating or modifying a user object in the container you selected in Step 2, Active Roles checks whether the phone number conforms to the stated format. If not, the policy disallows the creation or modification of the user object.

The following two sections elaborate on the steps to implement this scenario.

Related Documents