Introduction
This document provides an overview of the Active Roles (formerly known as ActiveRoles®) features.
Each feature is presented in a separate section containing the following elements:
- Feature Name The title of the section.
- Description An explanation of the feature.
- How to Start Instructions on how to find or start using the feature (if applicable).
Unless otherwise noted, the How to Start instructions assume that you are logged on as an Active Roles Admin. By default, an Active Roles Admin is any member of the Administrators local group on the computer running the Active Roles Administration Service. Additionally, you should verify that the Active Roles console is in Advanced view mode: on the View menu, click Mode, and then click Advanced Mode.
NOTE: For information on the features of the latest Active Roles release, see the Active Roles What's New Guide.
Implementing Rules and Roles
This section provides an overview of features and enhancements relating to Active Roles’ workflow capabilities, policies (administrative rules) and delegation model (administrative roles).
Synchronization Service
Identity information can be stored in various data systems, such as directories, databases, or even formatted text files. Management and synchronization of identity information among different data systems may require considerable time and effort. On top of that, performing data synchronization tasks manually is error-prone and can lead to duplication of information and incompatibility of data formats.
With Synchronization Service, you can automate the process of identity data synchronization among various data systems used in your enterprise environment.
Synchronization Service increases the efficiency of identity data management by allowing you to automate the creation, deprovisioning, and update operations between the data systems you use. For example, when an employee joins or leaves the organization, the identity information managed by Synchronization Service is automatically updated in the managed data systems, thereby reducing administrative workload and getting the new users up and running faster.
The use of scripting capabilities provides a flexible way to automate administrative tasks and integrate the administration of managed data systems with other business processes. By automating conventional tasks, Synchronization Service helps administrators to concentrate on strategic issues, such as planning the directory, increasing enterprise security, and supporting business-critical applications.
Synchronization Service offers the following major features.
Bidirectional synchronization
Bidirectional synchronization allows you to synchronize all changes to identity information between your data systems. Using this type of synchronization, you can prevent potential identity information conflicts between different data sources. Note that bidirectional synchronization is unavailable for some of the supported data systems.
Delta processing mode
Delta processing mode allows you to synchronize identities more quickly by processing only the data that has changed in the source and target connected systems since their last synchronization. Both the full mode and the delta mode provide you with the flexibility of choosing the appropriate method for your synchronization tasks. Note that delta processing mode is unavailable for some of the supported data systems.
Synchronization of group membership
Synchronization Service allows you to ensure that group membership information is in sync in all connected data systems. For example, when creating a group object from an Active Directory domain to an AD LDS (ADAM) instance, you can configure rules to synchronize the Member attribute from the Active Directory domain to the AD LDS (ADAM) instance.
Windows PowerShell scripting
Synchronization Service includes a Windows PowerShell based scripting Shell for data synchronization. The Shell is implemented as a Windows PowerShell module, allowing administrators to automate synchronization tasks by using PowerShell scripts.
Attribute synchronization rules
With Synchronization Service, you can create and configure synchronization rules to generate values of target object attributes. These rules support the following types of synchronization:
- Direct synchronization Assigns the value of a source object attribute to the target object attribute you specify.
- Script-based synchronization Allows you to use a Windows PowerShell script to generate the target object attribute value.
- Rule-based synchronization Allows you to create and use rules to generate the target object attribute value you want.
Rule-based generation of distinguished names
Synchronization Service provides flexible rules for generating the Distinguished Name (DN) for objects being created. These rules allow you to ensure that created objects are named in full compliance with the naming conventions existing in your organization.
Scheduling capabilities
You can schedule the execution of data synchronization tasks and automatically perform them on a regular basis to satisfy your company’s policy and save your time and effort.
Extensibility
To access external data systems, Synchronization Service employs so-called connectors. A connector enables Synchronization Service to read and synchronize the identity data contained in a particular data system. Out of the box, Synchronization Service includes connectors that allow you to connect to the following data systems:
- Microsoft Active Directory Domain Services
- Microsoft Active Directory Lightweight Directory Services
- Microsoft Exchange Server
- Microsoft Skype for Business Server
- Microsoft Windows Azure Active Directory
- Microsoft Office 365
- Microsoft SQL Server
- Microsoft SharePoint
- Active Roles version 6.9 to 7.5.2.
- One Identity Manager version 6.1 or 6.0
- Data sources accessible through an OLE DB provider
- Delimited text files
How to start
For instructions on how to install, configure and user Synchronization Service, see the Synchronization Service Administration Guide document for Active Roles 7.5.2.
Exchange Resource Forest Management
Active Roles now includes a mailbox management solution—Exchange Resource Forest Management—to provision users with Exchange mailboxes in environments where mailbox server are deployed in a dedicated Active Directory forest while logon-enabled user accounts are defined in a different forest.
Exchange Resource Forest Management extends the mailbox management capabilities of Active Roles in the case of resource forest topology. This topology option assumes that you have:
- At least one Active Directory forest containing logon-enabled user accounts for your organization, referred to as an accounts forest. The accounts forest does not have Exchange Server installed, nor does it need to have the Active Directory schema extended with the Exchange Server attributes.
- An Active Directory forest with Exchange Server, referred to as the Exchange forest, to hold mailboxes for user accounts from the accounts forest.
- Trust relationships configured so that the Exchange forest trusts the accounts forest.
With Exchange Resource Forest Management, you can use Active Roles to:
- Create a mailbox for a user account from the accounts forest.
You can create a mailbox when creating a user account in the accounts forest. It is also possible to create a mailbox for a user account that already exists in the accounts forest. As a result, Active Roles creates a disabled user account (shadow account) with a linked mailbox in the Exchange forest, and associates the shadow account and the mailbox with the user account (master account) held in the accounts forest.
NOTE: Mailboxes can be created only for Users, enabling mailbox for a Contact is not allowed.
- View or change mailbox properties, and perform Exchange tasks, on a user account from the accounts forest (master account) that has a linked mailbox in the Exchange forest.
The pages for managing the master account include all Exchange properties and tasks that are normally available when the mailbox resides in the same forest as the managed user account. With Exchange Resource Forest Management, Active Roles synchronizes the Exchange properties displayed or changed on the pages for managing the master account with the properties of the linked mailbox.
- View or change the personal or organization-related properties of the master account while having them synchronized to the respective properties of the shadow account.
When you use Active Roles to change the personal or organization-related properties of the master account, Exchange Resource Forest Management causes Active Roles to apply the changes to those properties of the shadow account as well. This function ensures correct information about the master account in the Exchange address lists.
- Deprovision a master account while having Active Roles deprovision the master account’s mailbox in the Exchange forest.
When you deprovision a master account, Exchange Resource Forest Management causes Active Roles to apply the deprovisioning policies to both the master account and shadow account. As a result, Active Roles makes all the necessary changes to deprovision the mailbox. You can revert these changes by undeprovisioning the master account.
- Delegate Exchange mailbox management tasks by applying Access Templates to containers that hold master accounts.
For example, you can apply the “Exchange - Recipients Full Control” Access Template to a container in the accounts forest, which enables the delegated administrator to create, view or change linked mailboxes in the Exchange forest by managing master accounts held in that container.
- Enable a master account to update membership list of a distribution group held in the Exchange forest.
When you make a shadow account the manager or a secondary owner of a distribution group and allow the manager or secondary owners to update membership list, Exchange Resource Forest Management ensures that the corresponding master account has sufficient rights to add or remove members from that group using Exchange clients such as Microsoft Outlook or Outlook Web App.
Exchange Resource Forest Management also enables Active Roles to provide all these administrative capabilities for linked mailboxes created by Active Roles with an earlier version of Exchange Resource Forest Management or without Exchange Resource Forest Management, or created by tools other than Active Roles. Exchange Resource Forest Management schedules Active Roles to search the managed domains for linked mailboxes whose master account:
- Is in the scope of the Exchange Resource Forest Management policy for mailbox management
- Does not have a reference to the shadow account expected by Exchange Resource Forest Management
For each master account that meets these conditions, Active Roles updates the master account with a reference to the shadow account, thereby extending the capabilities of Exchange Resource Forest Management to that master account and its linked mailbox. As a result, the linked mailbox falls under the control of Exchange Resource Forest Management.
How to start
For instructions on how to install, configure and user Exchange Resource Forest Management, see the Solutions Guide document for Active Roles 7.5.2.