Checking for policy compliance provides information on directory data that is out-of-compliance with the policies, such as user or group naming conventions, defined with Active Roles. If you define some policies when data has already been entered, you can check the data, and modify it accordingly, in order to ensure that the data meets the policy requirements.
Although with Active Roles business rules and policies normally cannot be bypassed once they have been configured, there are situations where the actual directory data may violate some of the prescribed policies or business rules. For example, when applying a new policy, Active Roles does not automatically verify the existing directory data in order to determine whether that data conforms to the new policy. Another example is a process that automatically creates new objects, such as user or group objects, by directly accessing Active Directory without the use of Active Roles.
The Active Roles Report Pack includes a number of reports that help detect policy violations in directory data by collecting and analyzing information on the state of directory objects as against the prescribed policies. However, as retrieving such information may take much time and effort, the reports on policy compliance sometimes do not allow policy-related issues to be resolved in a timely fashion.
In order to address this problem, Active Roles makes it possible to quickly build and examine policy check results on individual objects or entire containers. The policy check results provide a list of directory objects violating policies, and describe the detected violations. From the policy check results, you can make appropriate changes to objects or policies:
In addition, you can save policy check results to a file, print them out, or send them to an e-mail recipient.
To check an object for policy compliance, right-click the object and click Check Policy. For a container object, this displays the Check Policy dialog box. Review the options in the Check Policy dialog box and click OK.
The Policy Check Results window appears and the operation starts. The check results are displayed in the right pane of the window. The objects that violate a policy are displayed in the left pane. When you click an object in the left pane, the right pane describes the policy violation in detail.
By default, the right pane in the Policy Check Results window only displays basic options. You can display more choices by clicking the Details column heading.
By using links in the right pane, you can perform the following tasks:
You can use the following instructions to see how checking for policy compliance works in the Active Roles console:
Once you have performed these steps, the Policy Check Results window is displayed. Its left pane lists objects violating the policy.
The right pane, next to the Violation label, displays the prompt “You must specify a value for the property ‘department’.”
Checking for policy compliance provides information on directory data that is out-of-compliance with the policies, such as user or group naming conventions, defined with Active Roles. If you define some policies when data has already been entered, you can check the data, and modify it accordingly, in order to ensure that the data meets the policy requirements.
To check an object for policy compliance
The progress and results of the policy check operation are displayed in the Policy Check Results window. The left pane of the window lists the objects for which a policy violation has been detected.
When you click an object in the left pane, the right pane describes the policy violation in detail. By default, the right pane in the Policy Check Results window only displays basic options. You can display more choices by clicking the Details column heading.
|
NOTE: The Check Policy command on a Policy Object performs a check on all the objects found in the policy scope of the Policy Object. Use the Check Policy command on a Policy Object to find all objects that are not in compliance with the policies defined by that Policy Object. |
The Active Roles user interfaces, both Active Roles console and Web Interface, provide the Deprovision command on user and group objects. This command originates a request to deprovision the selected objects. When processing the request, Active Roles performs all operations prescribed by the deprovisioning policies.
Active Roles ships with two built-in Policy Objects that specify the operations to perform when deprovisioning a user or group. You can find those Policy Objects in the Active Roles console by selecting the Configuration | Policies | Administration | Builtin container.
The Built-in Policy - User Default Deprovisioning Policy Object determines the default effect of the Deprovision command on user accounts; the Built-in Policy - Group Default Deprovisioning Policy Object determines the default effect of that command on groups. Both objects are applied to the Active Directory container, taking effect in all domains that are registered with Active Roles.
The following tables summarize the default deprovisioning policy options. If you do not add, remove or change deprovisioning policies, Active Roles operates in accordance with these options when carrying out the Deprovision command on a user or group.
The following table summarizes the default deprovisioning policy options for users, defined by the Built-in Policy - User Default Deprovisioning Policy Object.
Policy |
Options |
User Account Deprovisioning |
|
Group Membership Removal |
|
Exchange Mailbox Deprovisioning |
|
Home Folder Deprovisioning |
|
User Account Relocation |
|
User Account Permanent Deletion |
|
The following table summarizes the default deprovisioning policy options for groups, defined by the Built-in Policy - Group Default Deprovisioning Policy Object.
Policy |
Options |
Group Object Deprovisioning |
|
Group Object Relocation |
|
Group Object Permanent Deletion |
|
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy