Chat now with support
Chat with Support

Active Roles 7.4.1 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 License Management Office 365 Roles Management User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure_Overview
Config ARS to Manage Hybrid AD Objects Managing Hybrid AD Users Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Azure O365 or Unified Groups
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling delegation for Federated Authentication

How Managed Units work

Membership rules determine whether an object is a member of a certain MU. For example, you might specify a membership rule that states: all users from OU A whose full names start with B belong to this MU. The membership rule is then implemented as a query that searches OU A for users with full names starting with B. Active Roles stores the query as a part of the MU properties, and executes it whenever a list of MU members is created or refreshed.

Active Roles allows permission and policy settings to be specified at the level of Managed Units. Inheritance of permission and policy settings from the Managed Unit level works seamlessly across the Active Directory environment.

As the environment changes, the memberships of objects held in Managed Units also change automatically to adapt to the new environment, therefore object permission and policy settings change as well. Managed Units dynamically adapt to changes in the enterprise, simplifying the maintenance of permission and policy settings on directory objects.

Each Managed Unit provides a convenient scope for delegated administration. Delegated administrators no longer have to browse the hierarchy of OUs to search for managed objects. With Active Roles, administrative control of each MU can be delegated to specific individuals and groups, just as control of OUs can be delegated. Using Managed Units, all objects managed by a delegated administrator are located in one place.

Administering Managed Units

This section guides you through the Active Roles console to administer Managed Units. The following topics are covered:

Creating a Managed Unit

The Active Roles console provides the New Object – Managed Unit wizard to create Managed Units. You can start the wizard from the Managed Units container, located under Configuration in the console tree: right-click Managed Units in the console tree, and select New | Managed Unit.

If you need to manage a large number of Managed Units, it is advisable to create containers that hold only specified Managed Units for easy location: in the console tree, right-click Managed Units and select New | Managed Unit Container. Then, you can use the wizard to create a Managed Unit in that container: right-click the container and select New | Managed Unit.

NOTE: Only users with administrative access to the Administration Service (members of the Active Roles Admin account) are permitted to create Managed Units. For more information about the Active Roles Admin account, refer to the Active Roles Quick Start Guide.

The first page of the wizard looks as shown in the following figure.

Figure 6: Managed unit - Name and Description

On this page, type in the name and description for the Managed Unit. The Active Roles console will display the name and description in the list of Managed Units in the details pane.

Click Next. The second page of the wizard looks as shown in the following figure.

Figure 7: Managed unit - include objects

This page lets you specify which objects you want to be included in the Managed Unit.

Membership of a Managed Unit is determined by membership rules. Members of a Managed Unit are those objects that match criteria defined in the membership rules. A list of members is dynamically updateable: When you create a new object that satisfies the criteria in the membership rule, the object is included into the MU automatically. When an object no longer matches the criteria specified in the membership rule (for example, when the object is renamed or moved), it is automatically removed from the membership list.

A membership rule may take a form of search query, object static inclusion and exclusion rule, and group member’s inclusion and exclusion rule.

To specify a membership rule, click Add. This displays the Membership Rule Type dialog box, shown in the following figure.

Figure 8: Managed Unit - membership rule type

In this dialog box, select a type of membership rule. In the lower box, you can read a description that explains which membership rules can be created using the selected type.

The Include Explicitly rule type allows you to select objects to be statically added to the Managed Unit. If you select a container, such as an OU, the entire sub-tree rooted in that container is included in the Managed Unit. Active Roles ensures that the selected objects are included in the Managed Unit regardless of whether they are renamed, moved to another container, or have any properties changed.

The Exclude Explicitly rule type allows you to select objects to be statically excluded from the Managed Unit. Active Roles ensures that the selected objects are excluded from the membership list regardless of whether they are renamed, moved, or have any properties changed. Because the Exclude Explicitly rule takes precedence over all other types of rule, the selected objects will be excluded from the Managed Unit even if another rule states that they should be included. Note that this rule type can be used to exclude only those objects that match one of the inclusion rules.

The Include Group Members rule type allows you to select the groups which members you want to include in the Managed Unit. Active Roles dynamically populates the membership list with the objects that belong to the selected groups. When an object is added or removed from the selected groups, Active Roles adds or removes that object from the membership list of the Managed Unit.

The Exclude Group Members rule type allows you to select groups whose members will be excluded from the Managed Unit. Active Roles ensures that the members of the selected groups are removed from the membership list of the Managed Unit. When an object is added to any one of the selected groups, Active Roles automatically removes that object from the membership list. Note that this rule type can be used to exclude only those objects that match one of the inclusion rules.

The Include by Query rule type allows you to define criteria the objects must match to be included in the Managed Unit. Active Roles dynamically populates the membership list with the objects that have certain properties. When an object is created, or when its properties are changed, Active Roles adds or removes it from the membership list depending on whether the objects’ properties match the defined criteria.

The Exclude by Query rule type allows you to define criteria the objects must match to be excluded from the Managed Unit. Active Roles ensures that the objects with certain properties are excluded from the membership list. Active Roles automatically removes objects from the membership list depending on whether the objects’ properties match the defined criteria. Note that this rule type can be used to exclude only those objects that match one of the inclusion rules.

The Retain Deprovisioned rule is intended to adjust the behavior of Managed Units towards deprovisioned objects, such as deprovisioned users or groups. Once an object is deprovisioned, the default behavior is to automatically remove that object from all Managed Units it was a member of. If there is a need to keep deprovisioned objects in certain Managed Units, you can satisfy this requirement by adding the Retain Deprovisioned rule to those Managed Units. This rule causes the Managed Unit to include both the regular and deprovisioned objects that meet the membership rules for that Managed Unit. Without this rule, the Managed Unit does not include any deprovisioned objects.

Note that the rules that exclude objects from a Managed Unit have an effect on only those objects that match one of the inclusion rules for that Managed Unit. For example, if a container object is explicitly included in a Managed Unit, all objects held in that container are also included in the Managed Unit and cannot be excluded by applying exclusion rules. An exclusion rule can only be used to exclude the entire container from the Managed Unit since the container is the only object that matches an inclusion rule. The objects that are held in the container do not match any inclusion rule, and therefore are not affected by exclusion rules.

In the Membership Rule Type dialog box, select a rule type, and click OK.

If you have selected the Include Explicitly or Exclude Explicitly rule type, the Select Objects dialog box is displayed. Select the objects you want to include or exclude from the Managed Unit, click Add, and then click OK.

If you have selected the Include Group Members or Exclude Group Members rule type, the Select Objects dialog box is displayed. The list of objects in that dialog box consists of groups. Select groups, click Add, and then click OK. All members of the selected groups will be included or excluded from the Managed Unit.

If you have selected the Include by Query or Exclude by Query rule type, the Create Membership Rule dialog box, similar to the Find dialog box, is displayed. In that dialog box, define the criteria that objects must match to be included or excluded from the Managed Unit.

After you have added one membership rule, you can add further membership rules for the same Managed Unit.

If you add several membership rules to the Managed Unit and some of them conflict with each other, then the conflict is resolved by a rule that defines the following order of precedence:

  1. Exclude Explicitly
  2. Include Explicitly
  3. Exclude by Query
  4. Exclude Group Members
  5. Include by Query
  6. Include Group Members

According to this, for example, the Exclude Explicitly rule takes precedence over all other types of rule. Therefore, the selected objects will be excluded from the Managed Unit even if another rule states that they should be included (for example, the objects that match the criteria defined in the Include by Query membership rule, or belong to a group selected in the Include Group Members rule).

NOTE: An exclusion rule type can be used to exclude only those objects that match one of the inclusion rules. For example, if a given Organizational Unit is included in a Managed Unit by an inclusion rule, all child objects held in the Organizational Unit are also included in that Managed Unit. However, only the entire Organizational Unit rather than its individual child objects can be excluded from the Managed Unit.

Once you have added membership rules, click Next. This displays a page shown in the figure that follows.

Figure 9: Managed unit - Permission and Policy settings

You can use this page to specify the permission and policy settings for the Managed Unit. When finished, click Next, and then click Finish. For information about permission settings, see Applying Access Templates later in this document. For information about policy settings, see Applying Policy Objects later in this document.

Steps for creating a Managed Unit

To create a Managed Unit

  1. In the console tree, under Active Roles | Configuration | Managed Units, locate and select the folder in which you want to add the Managed Unit.

    You can create a new folder as follows: Right-click Managed Units and select New | Managed Unit Container. Similarly, you can create a sub-folder in a folder: Right-click the folder and select New | Managed Unit Container

  1. Right-click the folder, and select New | Managed Unit to start the New Object - Managed Unit wizard.
  2. On the first page of the wizard, do the following, and then click Next:
    1. In the Name box, type a name for the Managed Unit.
    2. In the Description box, type any optional information about the Managed Unit.
  3. On the second page of the wizard, click Add. This displays the Membership Rule Type dialog box.
  4. Select the type of the membership rule to create, and then click OK:
    • To create a rule that statically adds members to the Managed Unit, click Include Explicitly.
    • To create a rule that statically excludes members from the Managed Unit, click Exclude Explicitly.
    • To create a rule that adds all members of a certain group to the Managed Unit, click Include Group Members.
    • To create a rule that excludes all members of a certain group from the Managed Unit, click Exclude Group Members.
    • To create a rule that populates the Managed Unit with the objects that match certain search criteria, click Include by Query.
    • To create a rule that prevents the Managed Unit from including the objects that match certain search criteria, click Exclude by Query.
    • To create a rule that prevents the deprovisioned objects, such as deprovisioned users or groups from being removed from the Managed Unit, click Retain Deprovisioned.

    If you selected the Include by Query rule type or the Exclude by Query rule type in Step 5, the Create Membership Rule dialog box is displayed. Otherwise (except for the Retain Deprovisioned rule type), the Select Objects dialog box is displayed.

  1. Complete the Create Membership Rule or Select Objects dialog box by following the instructions that are given later in this topic.
  2. Repeat steps 4 through 6 until you have added all of the desired membership rules. Then, click Next.
  3. On the next page of the wizard, do the following, and then click Next:
    • Click Security to specify permission settings on the Managed Unit.
    • Click Policy to specify policy settings on the Managed Unit.

    For information on how to specify security and policy settings, see Steps for modifying permission settings on a Managed Unit and Steps for modifying policy settings on a Managed Unit later in this document.

  1. On the completion page of the wizard, click Finish.

To complete the Create Membership Rule dialog box

  1. From the Find list, select the class of objects you want the membership rule to include or exclude from the Managed Unit. For example, when you select Users, the membership rule includes or excludes the users that match the conditions you specify.
  2. From the In list, select the domain or folder that holds the objects you want the membership rule to include or exclude from the Managed Unit. For example, when you select an Organizational Unit, the membership rule includes or excludes only the objects that reside in that Organizational Unit.

    To add folders to the In list, click Browse and select folders in the Browse for Container dialog box.

  1. Define the criteria of the membership rule. For example, to include or exclude the objects that have the letter T at the beginning of the name, type T in Name. You can use an asterisk (*) to represent any string of characters.
  2. Optionally, click Preview Rule to view a list of objects that match the criteria you have defined.
  3. Click Add Rule.

To complete the Select Objects dialog box

  1. In the Look in list, click the domain or folder that holds the objects you want to select. To add a folder to the list, click Browse.
  2. Do one of the following, and then click OK:
  3. In the list of objects, double-click the object you want to add.

OR

  1. In the lower box, type the entire name, or a part of the name, of the object you want to add. Then, click Check Names.

NOTE:

  • You can also use the Properties command to add or remove membership rules from an existing Managed Unit: Right-click the Managed Unit, click Properties, and then click the Membership Rules tab in the Properties dialog box.
  • For information on how to display a list of members of a Managed Unit, see Displaying members of a Managed Unit later in this document.
  • The Create Membership Rule dialog box is similar to the Find dialog box you use to search for objects in the directory. Once you have specified your search criteria, the Add Rule function saves them as a membership rule. For more information on how to specify search criteria, see Finding objects earlier in this document.
  • The Find list includes the Custom Search entry. Selecting that entry displays the Custom Search tab, enabling you to build custom membership rules using advanced options, as well as to build advanced membership rules using the Lightweight Directory Access Protocol (LDAP), which is the primary access protocol for Active Directory. For more information about using advanced search options, seeSteps for building a custom search and Steps for using advanced search options earlier in this document.
Related Documents