Chat now with support
Chat with Support

Active Roles 7.5.2 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling Federated Authentication Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo Appendix H: Active Roles integration with Okta

Deprovision an existing Active Roles user for SaaS products

Active Roles provides the ability to deprovision SaaS product users. When an Active Roles user is deprovisioned, if the user is mapped to Starling Connect, then the user is deprovisioned from the selected connected system. This means the Active Role SaaS product user is prevented from logging on to the network and connecting to any of the connected systems through the registered connectors.

The Deprovision command on a user updates the account as prescribed by the deprovisioning policies.

Active Roles comes with a default policy to automate some commonly-used deprovisioning tasks, and allows the administrator to configure and apply additional policies.

To deprovision a user for a SaaS product

  1. On the Active Roles Web interface Navigation bar, click Directory Management.
  2. On the Views tab in the Browse pane, click Active Directory.

    The list of Active Directory domains is displayed.

  3. Click the specific domain, Container or the Organizational Unit, and then select the check box corresponding to the specific user, which you want to deprovision for SaaS products

  4. Select the user, and in the Command pane, click Deprovision.

    A message is displayed prompting you to confirm the account deprovision.

  1. Click Yes, to continue

    Wait while Active Roles updates the user.

    After the task is completed, a message is displayed that the account is deprovisioned successfully from Active Roles.

    If the user is mapped to Starling Connect, then the user is deprovisioned from the connected systems.

To undo deprovision of a user for a SaaS product

  1. On the Active Roles Web interface Navigation bar, click Directory Management.
  2. On the Views tab in the Browse pane, click Active Directory.

    The list of Active Directory domains is displayed.

  1. Click the specific domain, Container or the Organizational Unit, and then select the check box corresponding to the specific user, which you want to undo deprovision for SaaS products.

  2. In in the Command pane, click UndoDeprovisioning.

    The Password Options dialog box is displayed.

  3. Select the option to Leave the Password unchanged or Reset the password, and click OK.

Notifications for Starling operations

The Notification pane displays the notification specific to Starling operations. The notifications are classified into Starling Connect and Updates.

IMPORTANT:

  • You must enable Port 7465 (HTTP) TCP Inbound/Outbound and Port 7466 (HTTPS) TCP Inbound/Outbound for the notifications to work. For more information, see Access to domain controllers.
  • The Web Interface machine must be able to resolve Service machine name for Notifications to work.

To view the Starling Connect notification

  1. On the Active Roles Web interface, click the notification icon.

    Starling Connect and Updates tabs are displayed.

  2. Click the Starling Connect tab to view the notifications specific to SaaS operations.

    NOTE: The latest five notifications are sent only to the initiator of the operation.

To view the Updates

  1. On the Active Roles Web interface, click the notification icon.

    Starling Connect and Updates tabs are displayed.

  2. Click the Updates tab to view the important updates about Starling.
  3. For more information on the notification, click Read More.

    NOTE: The notifications are sent to all the users who have joined Starling on the Administration website.

To view notifications on the Notifications page

  1. On the Active Roles Web interface, click the notification icon.

    Starling Connect and Updates tabs are displayed.

  2. Click the Starling Connect tab to view the notifications specific to SaaS operations.

    The latest five notifications are displayed with the configuration status and a brief description.

  3. Click View all notifications to view the details about the notification.

    The Notification page is displayed.

  1. Click Filter drop-down menu to filter the notifications based on time, connector name , status, and keywords.

  2. Select the required notifications and click Export to CSV from the Action drop-down menu. Click Go. You can also delete a notification by selecting a particular checkbox.
  3. Point the mouse to the notification in the Message column to view a detailed description. Expand the connector information available next to the connector check box to view the detailed description. The description pane gives the link to Change History of that particular object for more details. You can also copy the message in case of a failure.

Configuring notification settings

You can configure notifications settings from the Home screen | Settings page and Home screen | Customization | Global Settings.

To configure notification settings on the Settings page

  1. On the Active Roles Web interface, click the Settings.

    The Settings page is displayed.

  2. On the Settings page, enter the time in minutes for which the notification is to be visible in Time (in minutes) for which the notification is visible field.

    NOTE: By default, the time is set to 0 and the notifications do not expire. You can update the time to the required limit in minutes.

  1. Enter the number of notifications to be stored in Maximum number of notifications to be stored in Active Roles field.

    NOTE: The maximum number of notifications that can be stored is 1000.

To configure notification settings on the Customization page

  1. On the Active Roles Web interface, click the Customization.

    The Customization page is displayed.

  2. On the Customization page, click Global Settings.
  3. In the Settings applied for every user of the Web Interface by default section, enter the time in minutes for which the notification is to be visible in Time (in minutes) for which the notification is visible field.

    NOTE: By default, the time is set to 0. You can update the time to the required limit in minutes.

  4. Enter the number of notifications to be stored in Maximum number of notifications to be stored in Active Roles field.

    NOTE: The maximum number of notifications that can be stored is 1000.

IMPORTANT: For notifications to work as expected, you must perform the following, if you are using ActiveRoles website over HTTPS:

  • Import a valid certificate into Trusted Root Certificate Authority in the machine where ActiveRoles Service is installed.
  • In the below command, substitute thumbprint of the newly added certificate to CERT_HASH.
  • In the below command, substitute a Unique GUID to APP_ID.
  • Execute the command below in PowerShell command interface:

    netsh http add sslcert ipport=0.0.0.0:7466 appid='{APP_ID}' certhash=<CERT_HASH>.

SCIM attribute mapping with Active Directory

Active Roles provides support to connect to Starling Connect to manage the user provisioning and deprovisioning activities for the registered connectors. This is achieved through the internal attribute mapping mechanism. The AD attributes are mapped to SCIM attributes to perform each operation.

SCIM attribute mapping with Active Directory for Users

SCIM Active Directory
displayName displayName
givenName givenName
familyName sn
middleName middleName
title title
password edsaPassword
streetAddress streetAddress
locality city
postalCode postalCode
region state
country c
active edsaAccountIsDisabled
userName edsvauserName
honorificPrefix initials

formattedName

cn

emails proxyAddresses,mail
preferredLanguage preferredLanguage
description description
emailEncoding edsvaemailEncoding
alias edsvaalias
division division
company company
department department
homePage wWWHomePage
lastLogon lastLogon
accountExpires accountExpires

timezone

edsvatimezone

entitlements

edsvaentitlements

employeeNumber employeeNumber
cn cn
userPermissionsMarketingUser edsvauserPermissionsMarketingUser
userPermissionsOfflineUser edsvauserPermissionsOfflineUser
userPermissionsAvantgoUser edsvauserPermissionsAvantgoUser
userPermissionsCallCenterAutoLogin edsvauserPermissionsCallCenterAutoLogin
userPermissionsMobileUser edsvauserPermissionsMobileUser
userPermissionsSFContentUser edsvauserPermissionsSFContentUser
userPermissionsKnowledgeUser edsvauserPermissionsKnowledgeUser
userPermissionsInteractionUser edsvauserPermissionsInteractionUser
userPermissionsSupportUser edsvauserPermissionsSupportUser
userPermissionsLiveAgentUser edsvauserPermissionsLiveAgentUser
locale localeID
phoneNumbers telephoneNumber,mobile,homePhone
manager manager

desiredDeliveryMediums

edsvadesiredDeliveryMediums

nickname

edsvanickname

SCIM attribute mapping with Active Directory for Groups

SCIM Active Directory
displayName cn

members

member

email

mail

manager

managedBy

Azure AD, Office 365, and Exchange Online management

Active Roles is an administrative platform that facilitates the administration and provisioning of Active Directory, Exchange, and Azure Active Directory (Azure AD) resources in on-premises, cloud-only and hybrid environments as well. You can manage all these resources through the Active Roles Web Interface.

  • In an on-premises environment, when you create new Active Directory objects (users, guest users, groups, contacts, and so on), Active Roles creates and stores these new objects in the local infrastructure of your organization.

  • In a cloud-only environment, when you create new Active Directory objects (users, guest users, groups, contacts, and so on), Active Roles creates and stores these new objects in the Azure Cloud.

  • In hybrid environments, when you create new Active Directory objects (users, guest users, contacts, and so on) Active Roles synchronizes the on-premises Active Directory objects and their properties to the Azure AD cloud. This synchronization is performed by the Active Roles Synchronization Service between Active Roles and Microsoft Office 365, whenever you configure an Active Directory object with the Active Roles Web Interface.

NOTE: The Active Roles Web Interface supports Azure AD-related operations only on sites based on the Administrators template. While some of the configuration procedures listed in this page are also supported through the Management Shell, they are all described with using the Active Roles Web Interface.

The Office 365 / Azure AD capabilities of Active Roles support the following administrative tasks:

  • Create an Office 365 user account associated with a given Active Directory user account.
  • Synchronize user properties from Active Directory user accounts to their associated Office 365 user accounts.
  • View or change the properties of the Office 365 user account associated with a given Active Directory user account.
  • Assign Office 365 licenses to the Office 365 user account associated with a given Active Directory user account.
  • Delete the Office 365 user account associated with a given Active Directory user account.
  • Create an Office 365 security group or distribution group associated with a given Active Directory group.
  • Synchronize group properties, including the members list, from Active Directory groups to their associated Office 365 groups.
  • View or change the properties of the Office 365 group associated with a given Active Directory group.
  • Delete the Office 365 group associated with a given Active Directory group.
  • Create an Office 365 external contact associated with a given Active Directory contact.
  • Synchronize contact properties from Active Directory contacts to their associated Office 365 external contacts.
  • View or change the properties of the Office 365 external contact associated with a given Active Directory contact.
  • Delete the Office 365 external contact associated with a given Active Directory contact.
  • View Office 365 domain and license information.
  • Create Office 365 users. When you create an Office 365 user, you can choose whether to license that user for Exchange Online.
  • Create security groups and distribution groups in Office 365. You can choose the type of the Office 365 group that you want to create.
  • Assign licenses to Office 365 users. When creating or administering a user, you can choose the Office 365 licenses that you want to assign to that user.
  • Restrict the licenses for Office 365 users. You can configure a policy to specify what Office 365 licenses can be assigned depending on user location in Active Directory.
  • View or change the Office 365 specific object properties. You can edit Office 365 users, groups and contacts.
  • Examine Office 365 licenses and license usage. For each of your license subscriptions, you can view how many licenses are valid, expired or assigned. This information is displayed on the add-on application page in the Active Roles console.
  • Examine Office 365 domains. For each of your Office 365 domains, you can view the status of the domain and see whether the domain is configured for single sign-on (federated). Azure Domains are listed in Azure Domains in Azure Configuration
  • Associate existing Office 365 users with on-premises Active Directory users. The synchronization workflow uses the GUID and the primary SMTP address to match an existing Office 365 user to the appropriate on-premises Active Directory user.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating