Chat now with support
Chat with Support

Active Roles 7.4.1 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 License Management Office 365 Roles Management User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure_Overview
Config ARS to Manage Hybrid AD Objects Managing Hybrid AD Users Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Azure O365 or Unified Groups
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling delegation for Federated Authentication

Object property access

Permissions in this category provide for administrative operations on object properties for objects of the classes that you selected in the previous step of the Add Permission Entries wizard.

When you select Object property access, you specify access to object properties. You can select Read properties and Write properties, as shown in the following figure.

After you click Next, the wizard displays a page where you can select the properties to which you want the permission to allow (or deny) access. The page is similar to the following figure.

On that page, you can select one of the following options:

  • All properties  With this option, the permission controls access to all properties.
  • The following properties  With this option, the permission controls access to the properties you select from the list by selecting the appropriate check boxes.

NOTE: By default, all object properties are not displayed in the list. To display all object properties, select the Show all possible properties check box.

After you have selected the properties you want, click Finish to complete the Add Permission Entries wizard. The permission is added to the Access Template.

Creation/Deletion of child objects permission

Permissions in this category provide for creation and deletion of child objects in container objects of the classes you selected in the previous step of the Add Permission Entries wizard.

When you select Creation/Deletion of child objects, you specify the creation, deletion, and move operations you want the permission to allow (or deny). The list of operations looks as shown in the following figure.

You can select the following operations:

  • Create child objects  Controls the creation of child objects of the classes you select in the next step.
  • Delete child objects  Controls the deletion of child objects of the classes you select in the next step.
  • Move objects into this container  Controls the relocation of object of the classes you select in the next step. This operation assumes moving objects from one container to another without permission to delete existing objects or create new objects.

After you click Next, the wizard displays the page where you can select the types of objects on which you want the permission to allow (or deny) the operations you selected in the previous step. The page is similar to the following figure.

On that page, you select the types of objects for which you want the permission to allow (or deny) the creation, deletion, or move operation. You can select one of these options:

  • Child objects of any class  With this option, the permission controls the operations on objects of any type.
  • Child objects of the following classes  With this option, the permission controls the operations on objects of the type you select from the list by selecting the appropriate check boxes.

NOTE: By default, all object classes are not displayed in the list. To display all object classes, select the Show all possible classes check box.

After you have selected the object classes, click Finish to complete the Add Permission Entries wizard. The permission is added to the Access Template.

Steps for creating an Access Template

To create an Access Template

  1. In the console tree, under Configuration | Access Templates, locate and select the folder in which you want to add the Access Template.

You can create a new folder as follows: Right-click Access Templates and select New | Access Template Container. Similarly, you can create a sub-folder in a folder: Right-click the folder and select New | Access Template Container.

  1. Right-click the folder, and select New | Access Template to start the New Object - Access Template wizard.
  2. On the first page of the wizard, do the following, and then click Next:
    1. In the Name box, type a name for the Access Template.
    2. In the Description box, type any optional information about the Access Template.
  3. On the second page of the wizard, configure the list of permission entries, and then click Next.

The instructions on how to add, modify, or delete permission entries are given later in this topic.

  1. Click Finish to create the Access Template that includes the permission entries you have specified.

To add a permission entry to an Access Template

  1. On the page that displays a list of permission entries included in the Access Template, click Add to start the Add Permission Entries wizard.
  2. On the first page of the wizard, select one of these options:
    • All object classes  The rights defined by this permission entry apply to objects of any class.
    • Only the following classes  The rights defined by this permission entry apply to objects of specific classes. Select object classes from the list. If the list does not include the object class you want, select Show all possible classes.
  3. Click Next.
  4. On the second page of the wizard, select one of these options:
    • Full control access  The rights to create or delete child objects, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with any extended right. This option does not have any configuration parameters.
    • Object access  The rights to exercise certain generic permissions and extended rights on the objects. Select permissions and extended rights from the list to configure this option as appropriate.
    • Object property access  The rights to read or write certain properties of the object. Select check boxes to configure this option as appropriate: Read properties, Write properties. On the next page of the wizard, you can select the properties you want to be controlled by this permission entry.
    • Creation/Deletion of child objects  The rights to create or delete child objects of the object. Select check boxes to configure this option as appropriate: Create child objects, Delete child objects, Move objects into this container. On the next page of the wizard, you can specify the class or classes of child object you want to be controlled by this permission entry.
  5. If you want the Access Template to deny the rights defined by this permission entry, select the Deny permission check box. Otherwise, leave the check box cleared.
  6. Do the following, depending on the option you selected and configured in Step 4:
    • Full control access or Object access  Click Finish to add the permission entry to the Access Template.
    • Object property access or Creation/Deletion of child objects  Click Next to continue configuring the option.
  7. On the third page of the wizard, continue configuring the option you selected in Step 4, and then click Finish to add the permission entry to the Access Template:
    • If you selected Object property access, select the properties to be controlled by this permission entry. You have two options: All properties and The following properties. With the second option, you must select properties from the list. If the list does not include the property you want, select Show all possible properties.
    • If you selected Creation/Deletion of child objects, specify the class or classes of child object to be controlled by this permission entry. You have two options: Child objects of any class and Child objects of the following classes. With the second option, you must select one or more object classes from the list. If the list does not include the object class you want, select Show all possible classes.

To view or modify a permission entry in an Access Template

  1. On the page that displays a list of permission entries included in the Access Template, select the permission entry you want to view or modify, and click View/Edit to display the Modify Permission Entry dialog box.
  2. Examine the Apply Onto tab in the Modify Permission Entry dialog box. On this tab, you can view or modify the same settings as on the first page of the Add Permission Entries wizard (see Step 2 in the procedure above).
  3. Examine the Permissions tab in the Modify Permission Entry dialog box. This tab provides the same options as the second page of the Add Permission Entries wizard (see Step 4 in the procedure above). The options are read-only, so you cannot change the option that was selected upon creation of the permission entry. However, you can manage the configuration of the option:
    • Object access  Select generic permissions or extended rights you want to add to the Access Template.
    • Object property access  Select or clear these check boxes: Read properties, Write properties.
    • Creation/Deletion of child objects  Select or clear these check boxes: Create child objects, Delete child objects, Move objects into this container.
  4. If you want the Access Template to deny the rights defined by this permission entry, select the Deny permission check box on the Permissions tab. Otherwise, leave the check box cleared.
  5. If Object property access is selected on the Permissions tab, use the Object Properties tab in the Modify Permission Entry dialog box to view or modify the settings that determine which properties are controlled by this permission entry (see Step 7 in the procedure above).
  6. If Creation/Deletion of child objects is selected on the Permissions tab, use the Object Classes tab in the Modify Permission Entry dialog box to view or modify the settings that determine which classes of child object are controlled by this permission entry.

To delete a permission entry from an Access Template

  1. On the page that displays a list of permission entries included in the Access Template, select the permission entry you want to delete, and click Remove.
  2. Click Yes to confirm the deletion.

Applying Access Templates

Active Roles allows Access Templates to be applied to any objects—administrative views (Managed Units), directory folders (containers), or individual (leaf) objects.

When applying an Access Template to an object, you designate a Trustee (user or group) and assign permissions to the Trustee for that object. As a result, the Trustee gets access to the object according to permissions defined in the Access Template.

For example, two assistants of a directory administrator might be delegated full control of different domains; Help Desk might be assigned the administrative role to reset passwords.

NOTE: When you apply Access Templates to a folder, you can configure the permission settings to propagate from the folder to its child objects, down the directory structure.

To apply an Access Template, you need to start and complete the Delegation of Control wizard.

You can start the Delegation of Control wizard from any of the following points:

  • Access Template  Right-click the Access Template, click Links, and then click the Add button. Access Templates are located in the Configuration/Access Templates container.

    When started in this way, the wizard allows you to select directory objects where to apply the Access Template and Trustees for those objects.

  • Securable object  Depending on whether the object is a container or leaf object, do one of the following:
    • For a container or a Managed Unit, right-click it, click Delegate Control, and then click the Add button.
    • For a leaf object, display the Properties dialog box, go to the Administration tab, click the Security button, and then click the Add button.

    When started in this way, the wizard allows you to select Trustees for the object and Access Templates to define the Trustees’ rights to the object.

  • Security principal (Trustee)  Right-click the group or user you want to designate as a Trustee, click Delegated Rights, and then click the Add button.

    When started in this way, the wizard allows you to select objects for which you want to designate the Trustee and Access Templates to define the Trustees’ rights to those objects.

You can also start the Delegation of Control wizard from the advanced details pane (ensure that Advanced Details Pane is checked on the View menu):

  • Select an Access Template, right-click a blank area on the Links tab, and then click Add.

    When started in this way, the wizard allows you to select directory objects where to apply the Access Template and Trustees for those objects.

  • Select a directory object (securable object), right-click a blank area on the Active Roles Security tab, and then click Add.

    When started in this way, the wizard allows you to select Trustees for the object and Access Templates to define the Trustees’ rights to the object.

The rest of this section provides instructions on how to complete the Delegation of Control wizard, assuming that you start the wizard from the object of which control you want to delegate (securable object). For instructions on how to complete the wizard in the other cases, see Steps for applying an Access Template later in this chapter.

If you start Delegation of Control wizard from a securable object, clicking Next on the Welcome page displays the Users or Groups page, shown in the following figure.

Figure 16: Delegation of control - Users or Groups

On the Users or Groups page, click Add to display the Select Objects dialog box where you can select groups or users to be designated as Trustees. Type or select the names of the users or groups you want to add to the list, and then click OK.

After you have completed the list on the Users or Groups page, click Next. This displays the Access Templates page, shown in the following figure.

Figure 17: Delegation of control - Access Templates

On the Access Templates page, expand containers that hold Access Templates, and select check boxes next to the names of the Access Templates you want to apply.

When you are done with selecting Access Templates, click Next. This displays the Inheritance Options page, shown in the following figure.

Figure 18: Delegation of Control - Inheritace Options

On the Inheritance Options page, you can select the following options to control inheritance of permissions:

  • This directory object  Ensures that the Trustees have administrative rights to the securable object itself.
  • Child objects of this directory object  Ensures that the Trustees have administrative rights to the child objects of securable object, down the directory structure.
  • Immediate child objects only  Limits the Trustees’ rights to only immediate child objects of the securable object.

By default, the first two options are selected.

Click Next. This displays the Permissions Propagation page where you can select the Propagate permissions to Active Directory check box. If you do so, the permission settings you are configuring are synchronized to Active Directory. As a result, the Trustees may also exercise their rights outside the Active Roles environment, thus incurring a potential risk of bypassing policies configured and enforced with Active Roles. Therefore, you should use this option carefully.

By default, the Propagate permissions to Active Directory check box is cleared. If you choose to select it, you can change this setting at any time by using the Sync to AD button in the Active Roles Security window or Sync to AD command in the advanced details pane (see Synchronizing permissions to Active Directory later in this chapter).

Click Next, and then click Finish to complete the wizard.

Related Documents