Chat now with support
Chat with Support

Active Roles 7.6.2 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only distribution groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Active Roles integration with other One Identity and Quest products Appendix F: Active Roles integration with Duo Appendix G: Active Roles integration with Okta

Steps to check for policy compliance

Checking for policy compliance provides information on directory data that is out of compliance with the policies, such as user or group naming conventions, defined with Active Roles. If you define some policies when data has already been entered, you can check the data, and modify it accordingly, in order to ensure that the data meets the policy requirements.

To check an object for policy compliance

  1. Right-click the object, and click Check Policy.
  2. If the object is a container or Managed Unit, select the appropriate combination of these check boxes to specify the scope of the operation:
    • This directory object.  The scope includes the container or Managed Unit you have selected (this option does not cause the scope to include any child objects or members of the container or Managed Unit).
    • Child objects of this directory object.  The scope includes all the child objects (or members, as applied to a Managed Unit) in the entire hierarchy under the container or Managed Unit you have selected.
    • Immediate child objects only.  The scope includes only the child objects (or members, as applied to a Managed Unit) of which the container or Managed Unit that you have selected is the direct ancestor.

    Click OK.

    The progress and results of the policy check operation are displayed in the Policy Check Results window. The left pane of the window lists the objects for which a policy violation has been detected.

  3. Click an object in the left pane of the Policy Check Results window.

    When you click an object in the left pane, the right pane describes the policy violation in detail. By default, the right pane in the Policy Check Results window only displays basic options. You can display more choices by clicking the Details column heading.

  1. Use hypertext links in the right pane to perform the following tasks:
    • Modify the property value violating the policy: Click the edit link next to the Property value label.
    • Remove the object from the policy scope: Click the block policy inheritance link next to the Policy Object label. If you do so, the policy no longer controls the object.
    • Modify the policy: Click the properties link next to the Policy Object label. This displays the Properties dialog box for the Policy Object. For instructions on how to add, modify, or remove policies in the Properties dialog box, see Adding, modifying, or removing policies earlier in this document.
    • View or modify the properties of the object that violates the policy: Click the Properties button in the upper-right corner of the right pane.
    • View or modify the properties of the object to which the Policy Object is applied (linked): Click the properties link next to the Applied to label.

NOTE: The Check Policy command on a Policy Object performs a check on all the objects found in the policy scope of the Policy Object. Use the Check Policy command on a Policy Object to find all objects that are not in compliance with the policies defined by that Policy Object.

Deprovisioning users or groups

The Active Roles user interfaces, both Active Roles console and Web Interface, provide the Deprovision command on user and group objects. This command originates a request to deprovision the selected objects. When processing the request, Active Roles performs all operations prescribed by the deprovisioning policies.

Default deprovisioning options

Active Roles ships with two built-in Policy Objects that specify the operations to perform when deprovisioning a user or group. You can find those Policy Objects in the Active Roles console by selecting the Configuration | Policies | Administration | Builtin container.

The Built-in Policy - User Default Deprovisioning Policy Object determines the default effect of the Deprovision command on user accounts; the Built-in Policy - Group Default Deprovisioning Policy Object determines the default effect of that command on groups. Both objects are applied to the Active Directory container, taking effect in all domains that are registered with Active Roles.

The following tables summarize the default deprovisioning policy options. If you do not add, remove, or change deprovisioning policies, Active Roles operates in accordance with these options when carrying out the Deprovision command on a user or group.

The following table summarizes the default deprovisioning policy options for users, defined by the Built-in Policy - User Default Deprovisioning Policy Object.

Table 28: Policy options for users: Built-in Policy - User Default Deprovisioning

Policy

Options

User Account Deprovisioning

  • Disable the user account.
  • Set the user’s password to a random value.
  • Change the user name to include the suffix “deprovisioned” followed by the date when the user was deprovisioned.
  • Fill in the user description to state that this user account is deprovisioned.
  • Clear certain properties of the user account, such as city, company, and postal address.

Group Membership Removal

  • Remove the user account from all security groups.
  • Remove the user account from all distribution groups.

Exchange Mailbox Deprovisioning

  • Hide the user mailbox from Exchange address lists, thus preventing access to the mailbox.

Home Folder Deprovisioning

  • Revoke access to the user home folder from the user account.
  • Give the user’s manager read access to the user home folder.
  • Designate Administrators as the home folder owner.

User Account Relocation

  • Do not move the user account from the organizational unit in which the account was located at the time of deprovisioning.

User Account Permanent Deletion

  • Do not delete the user account.

The following table summarizes the default deprovisioning policy options for groups, defined by the Built-in Policy - Group Default Deprovisioning Policy Object.

Table 29: Policy options for groups: Built-in Policy - User Default Deprovisioning

Policy

Options

Group Object Deprovisioning

  • Change the group type from Security to Distribution.
  • Hide the group from the Global Address List (GAL)
  • Change the group name to include the suffix “deprovisioned” followed by the date when the group was deprovisioned
  • Remove all members from the group
  • Fill in the group description to state that this group is deprovisioned

Group Object Relocation

  • Do not move the group from the organizational unit in which the group was located at the time of deprovisioning

Group Object Permanent Deletion

  • Do not delete the group

Delegating the Deprovision task

Deprovisioning is, by default, a right of Active Roles Admin, the administrative account specified during Active Roles installation, but the task of deprovisioning can be delegated to any group or user. A dedicated Access Template is provided for this purpose so that you can delegate the use of the Deprovision command without delegating the create or delete operation.

To delegate the task of deprovisioning users or groups in a certain container, such as an organizational unit or a Managed Unit, you should apply the Access Template as follows.

To delegate the Deprovision task

  1. In the Active Roles console, right-click the container and click Delegate Control to display the Active Roles Security window.
  2. In the Active Roles Security window, click Add to start the Delegation of Control wizard. Click Next.
  3. On the Users or Groups page, click Add, and then select the users or groups to which you want to delegate the deprovision task. Click Next.
  4. On the Access Templates page, expand the Active Directory folder and then do the following:
    • To delegate the task of deprovisioning users, select the check box next to Users - Perform Deprovision Tasks.
    • To delegate the task of deprovisioning groups, select the check box next to Groups - Perform Deprovision Tasks.
  5. Click Next and follow the instructions in the wizard, accepting the default settings.

After you complete these steps, the users and groups you selected in Step 3 are authorized to deprovision users or groups in the container you selected in Step 1, as well as in any sub-container of that container.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating