Chat now with support
Chat with Support

Active Roles 7.5 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling Federated Authentication Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo MFA Appendix H: Active Roles integration with Okta MFA

Delegating the task of running automation workflow

You can authorize users or groups to run all automation workflows held in a certain container by applying the Automation Workflow - View and Run Access Template to that container. This allows the users or groups to run the automation workflow without giving them the right to make any changes to the workflow.

To delegate the task of running all automation workflows held in a certain container

  1. In the console tree, right-click the desired container under Configuration | Policies | Workflow, and then click Delegate Control.
  2. In the Active Roles Security dialog box, click Add to start the Delegation of Control Wizard.
  3. On the Users or Groups page in the wizard, click Add, and then use the Select Objects dialog box to select the desired users or groups.
  4. On the Access Templates page in the wizard, under Access Templates | Configuration, select the Automation Workflow - View and Run check box.
  5. Follow the instructions in the wizard and accept the default settings.
  6. Click OK in the Active Roles Security dialog box.

It is also possible to authorize users or groups to run a single automation workflow by applying the Access Template to the workflow definition object.

To delegate the task of running a single automation workflow

  1. On the View menu, select Advanced Details Pane.
  2. In the console tree, under Configuration | Policies | Workflow, select the container that holds the desired workflow definition object.
  3. In the upper part of the details pane, select the workflow definition object.
  4. In the lower part of the details pane, on the Active Roles Security tab, right-click a blank area and click Add to start the Delegation of Control Wizard.
  5. On the Users or Groups page in the wizard, click Add, and then use the Select Objects dialog box to select the desired users or groups.
  6. On the Access Templates page in the wizard, under Access Templates | Configuration, select the Automation Workflow - View and Run check box.
  7. Follow the instructions in the wizard and accept the default settings.

Delegating the task of viewing run history of automation workflow

You can authorize users or groups to view run history of all automation workflows held in a certain container by applying the Automation Workflow - View Access Template to that container. This enables the users or groups to view run history of the automation workflow without giving them the right to modify or run the workflow.

To delegate the task of viewing run history of all automation workflows held in a certain container

  1. In the console tree, right-click the desired container under Configuration | Policies | Workflow, and then click Delegate Control.
  2. In the Active Roles Security dialog box, click Add to start the Delegation of Control Wizard.
  3. On the Users or Groups page in the wizard, click Add, and then use the Select Objects dialog box to select the desired users or groups.
  4. On the Access Templates page in the wizard, under Access Templates | Configuration, select the Automation Workflow - View check box.
  5. Follow the instructions in the wizard and accept the default settings.
  6. Click OK in the Active Roles Security dialog box.

It is also possible to authorize users or groups to view run history of a single automation workflow by applying the Access Template to the workflow definition object.

To delegate the task of viewing run history of a single automation workflow

  1. On the View menu, select Advanced Details Pane.
  2. In the console tree, under Configuration | Policies | Workflow, select the container that holds the desired workflow definition object.
  3. In the upper part of the details pane, select the workflow definition object.
  4. In the lower part of the details pane, on the Active Roles Security tab, right-click a blank area and click Add to start the Delegation of Control Wizard.
  5. On the Users or Groups page in the wizard, click Add, and then use the Select Objects dialog box to select the desired users or groups.
  6. On the Access Templates page in the wizard, under Access Templates | Configuration, select the Automation Workflow - View check box.
  7. Follow the instructions in the wizard and accept the default settings.

 

Sample Azure Hybrid Migration

To create a Remote Mailbox for an existing user, you can use the Office 365 workflow and modify the sample script Sample Azure Hybrid Migration.ps1 available in Configuration\Script Modules\Builtin\ Sample Azure Hybrid Migration location. The workflow for remote mailbox is available in Configuration\Policies\Workflow\Builtin\ Sample Azure Hybrid Migration location.

o determine the sequence of actions to create a remote mailbox, the state of the user's mailbox (migrated, non-migrated, mail-enabled user's, and so on) must be considered. Depending upon the environment in which the remote mailbox is intended to work, select either of these two options:

  • EnableRemoteMailBox function to enable remote mailboxes for the users in the workflow scope. Select EnterExchangeCreds_params as the function to declare parameters in the script and provide the Exchange username and password for running EnableRemoteMailBox function in workflow.

  • DisableRemoteMailBox function to disable remote mailboxes for the users in the workflow scope. Select EnterExchangeCreds_params as the function to declare parameters in the script and provide the Exchange username , password and Exchange Recipient Type Details for running DisableRemoteMailBox function in workflow.

For more information on declaring script parameters, see Script activity. In the script, specify the exchange server FQDN and modify the required code blocks.

After the script is modified, enable or copy the default Sample Azure Hybrid Migration workflow and run.

By default, a remote mailbox is created for users with valid exchange online license and no exchange mailbox on-premise presence. For more information on creating a Remote Mailbox for new users, see Create a new Hybrid user using web interface.

NOTE:

  • The Exchange management tools of the on-premise Exchange 2013 or later must be present to enable remote mailbox.
  • The ‘Remote mailbox migration (RemoteMailbox.ps1)’ script has been provided as a sample script only, to illustrate the steps required, and should not be used as-is in a production situation without modification and enhancement. The use of security credentials within a script in clear text should never be considered appropriate or secure. In testing this script, care and consideration should be given to the authentication and use of credentials, and clear text credentials should not be left in the script once testing is complete.

  • ARS service account must be a part of the Recipient Management group to run exchange hybrid commands.

For more details refer the KB article: https://support.oneidentity.com/kb/310525 .

 

Managing Remote Mailbox

After creating the Remote Mailbox, you can manage it through the console and the Web Interface. The supported operations are mentioned below:

  • Exchange General

    • View or change the alias

    • View or change the option to use MAPI rich text format

    • Hide the user or contact from Exchange address lists

    • View or change custom attributes

  • Exchange Advanced

    • View or change the simple display name

    • Downgrade high priority mail bound for X.400.

    • View or change the Internet Locator Service (ILS) settings

  • Email Address

    • View, add, edit or remove e-mail addresses

    • View or change the default reply address for each address type

    • View or change the external e-mail address

    • Set the option to update e-mail addresses based on e-mail address policy

  • Mail flow Settings

    • View or change message size restrictions and message delivery restrictions

For more information on Exchange Online Properties, see View or modify the Exchange Online properties on the Active Roles Administration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating