By using the Active Roles console, you can apply Active Roles Policy Objects to establish policy-based control and perform auto-provisioning of AD LDS data the same way as you do for the directory data held in Active Directory domains. By providing the ability to strictly enforce operating policies and to prevent unregulated access to sensitive information stored in AD LDS, Active Roles helps ensure the security of your business-critical data. Policy Objects can be configured to determine a wide variety of policies as applied to AD LDS, including data format validation, rule-based auto-provisioning of certain portions of data in AD LDS, and script-based, custom actions on AD LDS data.
You can use the following instructions to view or modify a list of Policy Objects that are applied to a given AD LDS object, such as an AD LDS user, group, organizational unit, container, or entire directory partition. For detailed instructions on how to create, configure and apply Policy Objects, see the Rule-based AutoProvisioning and Deprovisioning section earlier in this document.
To view or modify the list of Policy Objects on an AD LDS object
In the Active Roles Policy dialog box, a Policy Object can only be removed if it is applied to the AD LDS object you have selected (rather than to a container that holds the AD LDS object). To view the Policy Objects that can be removed on the current selection, click Advanced, and then clear the Show inherited check box.
Instead of removing a Policy Object in the Active Roles Policy dialog box, you can select the Blocked check box in the list entry for that Policy Object in order to remove the effect of the Policy Object on the AD LDS object. In this way, you can remove the effect of a Policy Object regardless of whether the Policy Object is applied to the AD LDS object itself or to a container that holds the object. If you block a Policy Object on a given AD LDS object, the policy settings defined by that Policy Object no longer take effect on the AD LDS object. You can undo this action by clearing the Blocked check box.
The newest versions of One Identity's on-premises products offer a mandatory One Identity Hybrid Subscription, which helps you transition to a hybrid environment on your way to the cloud. The subscription enables you to join Active Roles with the One Identity Starling software-as-a-service platform. This gives your organization immediate access to a number of cloud-delivered features and services, which expand the capabilities of Active Roles. When new products and features become available to One Identity Starling, the One Identity Hybrid Subscription allows you to use these immediately for Active Roles to add value to your subscription.
Active Roles version 7.4 supports integration with One Identity Starling services. The Starling Join feature in Active Roles now enables you to connect to One Identity Starling, the Software as a Service (SaaS) solution of One Identity. The Starling Join feature enables access to the Starling services through Active Roles thus allowing to benefit from the Starling services such as Two-factor Authentication, Identity Analytics and Risk Intelligence, and Connect.
In order to use Starling 2FA with Active Roles, you first need to join One Identity Starling to Active Roles on the Active Roles Configuration Center. The Join to One Identity Starling wizard also includes links, which provide assistance for using Starling: