Configuring an activity of a custom type
Once a custom activity type has been deployed, an Active Roles administrator can add an activity of that type to a workflow. This is accomplished by dragging the activity type onto the workflow process diagram in the Workflow Designer.
To configure a workflow activity of a custom type
- In the Active Roles console tree, expand Configuration | Policies | Workflow, and select the workflow to which you want to add an activity.
This opens the Workflow Designer window in the details pane, representing the workflow definition as a process diagram.
- In the details pane, drag the activity type from the left panel onto the process diagram.
The panel on the left of the workflow process diagram lists all the activity types defined in your Active Roles environment. The built-in activity types are listed in the Basic area, along with the custom activity types whose Policy Type objects are located directly in the Policy Types container. The other custom activity types are listed below the names of the containers that hold the corresponding Policy Type objects. The list includes only those containers that are located directly in the Policy Types container. The names of the intermediate containers are not shown.
- Right-click the name of the activity you have added on the process diagram, and then click Properties.
- On the Properties page, set parameter values for the activity: Click the name of a parameter in the list, and then click Edit.
Parameters control the behavior of the activity. When Active Roles executes the activity, it passes the parameter values to the script function. The actions performed by the script function, and the results of those actions, depend upon the parameter values.
Clicking Edit displays a page where you can add, remove or select a value or values for the selected parameter. For each parameter, the script being used by the activity defines the name of the parameter and other characteristics, such as a description, a list of possible values, the default value, and whether a value is required. If a list of possible values is defined, then you can only select values from that list.
- Click OK to close the Properties dialog box, and then click Save Changes in the Workflow Designer.
Deleting a Policy Type object
You can delete a Policy Type object when you no longer need to add activities of the type defined by that object.
Before you delete a Policy Type object, consider the following:
- You can delete a Policy Type object only if no activities of the respective type exist in any workflow. Examine each workflow definition and remove the activities of that type, if any, from the workflow before deleting the Policy Type object.
- Deleting a Policy Type object permanently deletes it from the Active Roles database. If you want to use this activity type again, you should export the Policy Type object to an XML file before deleting the object.
- Deleting a Policy Type object does not delete the Script Module associated with that object. This is because the Script Module may be used by other activities. If the Script Module is no longer needed, it can be deleted separately.
To delete a Policy Type object
- Right-click the Policy Type object in the Active Roles console and click Delete.
Temporal Group Memberships
Temporal Group Memberships
Understanding temporal group memberships
By using temporal group memberships, Active Roles provides the ability to automate the tasks of adding or removing group members that only need group membership for a specific time period. When adding objects, such as users, computers or groups, to a particular group, an administrator can specify that the objects should be added to the group at the time of choice, as well as indicate when those objects should be removed from the group.
The temporal group membership functionality offered by Active Roles can aid organizations in efficiently assigning users and other objects to groups for a required period of time. Although in many cases objects that are added to a group remain the members of the group for an indefinite period of time, many organizations have requirements of temporarily assigning objects to particular groups. Typical scenarios include allowing access to specific resources for the duration of a certain project, or temporarily allowing an individual to act as a server administrator.
Management of temporal group assignments represents significant challenges for administrators since a high degree of administrative oversight is required to ensure that the group assignments are truly temporary and do not become permanent because of poor control over group memberships. Active Roles addresses these requirements by enabling addition or removal of group members to occur automatically on a scheduled basis.
The temporal group membership functionality expands the benefits of Active Roles in the following areas:
- Security By providing tight control over changes to group memberships, including policy-based rules and constraints, change approval, and change auditing, Active Roles reduces security risks for systems, applications and services that use Active Directory groups for access authorization. Adding and removing group members in a timely manner ensure that users have access to systems and resources for only the required amount of time, thereby restricting the possibility and scope of access.
- Availability By automatically populating groups based on configurable policy rules, Active Roles makes appropriate network resources available to appropriate users at the time that they need access to those resources. The ability to set a schedule for adding and removing group members is helpful in situations where temporary access is required for a relatively short time period or when numerous requests to change group memberships arise on short notice.
- Manageability Active Roles streamlines the management of assigning users to groups as well as removal of members from groups. Consistent and reliable control of these provisioning and de-provisioning activities reduces overhead for those managing Active Directory groups. Unattended, schedule-based handling of temporal group memberships helps assure compliance with change and access policies while simplifying the management of group membership change requests.
- Compliance Active Roles lowers regulatory compliance risks by ensuring that proper and effective controls are in place for group memberships. Since Active Directory groups are used to authorize access to systems, applications and data, controlling the assignment of users to groups on a temporal basis helps organizations comply with separation of duties and data privacy requirements.
Active Roles provides the temporal group membership functionality for both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
The temporal group membership functionality automates the tasks of adding and removing users from groups in the situations where users need group memberships for only a specific time period. By applying temporal membership settings, administrators can schedule selected objects to be assigned to a particular group and specify when the objects are to be removed from the group.
The key capabilities provided by Active Roles for managing temporal group memberships are as follows:
- Add temporal group members The user interface for selecting objects, in both the Active Roles console and Web Interface, provides a number of options to specify when the selected objects should be added to the selected group and when the selected objects should be removed from the group. It is possible to add the objects to the group immediately as well as to indicate that the objects should not be removed from the group.
- View temporal members of a group The list of group members (the Members page) displayed by the Active Roles console or Web Interface makes it possible to distinguish between regular group members and temporal group members. In addition, it is possible to hide or display the temporal members that are scheduled to be added to the group in the future but are not actual members of the group so far.
- View temporal memberships of an object The list of group memberships for a particular object (the Member Of page) makes it possible to distinguish between the groups in which the object is a regular member and the groups in which the object is a temporal member. It is also possible to hide or display the groups to which the object is scheduled to be added in the future.
- Reschedule temporal group memberships Both the Members and Member Of pages provide the ability to view or modify the temporal membership settings. On the Members page for a particular group, you can select a member, and view or modify the date and time when the member should be added or removed from the group. On the Member Of page for a particular object, you can select a group, and view or modify the date and time when the object should be added or removed from the group.
- Make a temporal member permanent The temporal membership settings provide the option to indicate that the object should not be removed from the group, thus making a temporal member permanent. If temporal membership settings on a particular object are configured to add the object to a certain group immediately and never remove it from the group, then the object becomes a regular member of that group. Similarly, specifying any other temporal membership settings on a regular member converts it to a temporal member.
- Remove temporal group members Both the Members and Member Of pages provide the Remove function for group memberships, whether temporal or regular. When you use the Remove function on temporal members of a group, the members are removed along with all the temporal membership settings that were in effect on those members. The same is true when you use the Remove function on groups in which a particular object is a temporal member.
With the temporal group membership functionality, Active Roles assures that users have group memberships for only the time they actually need to, enforcing the temporal nature of group memberships when required and eliminating the risk of retaining group memberships for longer than needed.