Chat now with support
Chat with Support

Active Roles 7.6.2 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only distribution groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Active Roles integration with other One Identity and Quest products Appendix F: Active Roles integration with Duo Appendix G: Active Roles integration with Okta

Entitlement profile configuration

In Active Roles, entitlement profile specifiers provide the ability to store the definition of entitlement to a particular resource in a single object. entitlement profile specifiers determine the contents of the entitlement profile.

When building the entitlement profile of a given user, Active Roles uses the entitlement profile specifiers to determine what resources the user is entitled to, and what information about each resource is to be shown in the entitlement profile.

Active Roles comes with a collection of pre-defined specifiers, and allows administrators to create additional specifiers or change existing specifiers. You can use the following instructions to create or change entitlement profile specifiers:

For a list of pre-defined specifiers, see Pre-defined specifiers.

Creating entitlement profile specifiers

Active Roles stores entitlement profile specifiers in the Entitlement Profile Specifiers container. You can access that container by expanding the Configuration/Server Configuration branch in the Active Roles console tree.

To create an entitlement profile specifier

  1. In the console tree, under Configuration/Server Configuration/Entitlement Profile Specifiers, right-click the container in which you want to create a new specifier, and select New | Entitlement Profile Specifier.

    For example, if you want to create a new specifier in the root container, right-click Entitlement Profile Specifiers.

  1. In the New Object - Entitlement Profile Specifier wizard, type a name and, optionally, a description for the new specifier.

    The name and description are used to identify the specifier object in the Active Roles console.

  1. Click Next.
  2. Choose the desired type of entitlement:
    • Select the User attributes option if the fact that a given user is entitled to the resource stems from certain attribute settings of the user’s account in Active Directory. For example, this is the type of entitlement to an Exchange mailbox or to a home folder.
    • Select the Group membership option if the fact that a given user is entitled to the resource stems from membership of the user in a certain security group.
    • Select the Manager or owner role assignment option if entitlement of a given user to the resource means that the user is designated as the manager (primary owner) or a secondary owner of a certain object.
  3. Click Next.
  4. Set up the Entitlement rules list.

    In this step, you define the criteria that are used to determine whether a given user is entitled to the resource. The entitlement rules take the form of conditions that the entitlement target object must meet in order for the user to be regarded as entitled to the resource, and thus for information about the resource to appear in the entitlement profile of that user.

    Active Roles evaluates the entitlement rules against the entitlement target object when building a user’s entitlement profile. Depending on the entitlement type, the entitlement target object is:

  • In case of the User attributes entitlement type, the user account of the user whose entitlement profile is being built. (This entitlement type is referred to as personal resource entitlement.)
  • In case of the Group membership entitlement type, any single group to which the user belongs, whether directly or because of group nesting. (This entitlement type is referred to as shared resource entitlement.)
  1. You can define entitlement rules based on object properties, such as whether the object has certain attributes set or whether the object is a security group. The conditions take the form of LDAP filter based search criteria. With the “Include” rule type, the user is regarded as entitled to the resource if the entitlement target object meets the search criteria. With the “Exclude” rule type, the user is regarded as not entitled to the resource if the entitlement target object meets the search criteria.
  2. In addition to filter-based rules, you can configure rules on a per-object basis, so as to include or exclude individual objects from entitlement assignment explicitly. If Active Roles encounters a rule to include the entitlement target object, it considers the user as entitled to the resource. If Active Roles encounters a rule to exclude the entitlement target object, then it considers the user as not entitled to the resource.
  3. Active Roles evaluates the entitlement rules in the following order:
    1. Explicit exclusion
    2. Explicit inclusion
    3. Filter-based exclusion
    4. Filter-based inclusion

    Once the entitlement target object matches a rule of a particular type, the rule types that stand lower in this list are not applied. This means that exclusion rules take precedence over inclusion rules and explicit selection of objects takes precedence over filter-based rules.

    Initially, no entitlement rules are configured, which is treated as an inclusion-type condition that evaluates to TRUE for any object. As a result, entitlement to the resource is established regardless of the properties of the entitlement target object. You can add entitlement rules in order to categorize entitlements based on properties of entitlement target objects.

    To add an entitlement rule, click Include or Exclude depending on the rule type you want, and then use the Configure Entitlement Rule dialog box to specify your search criteria. You can specify search criteria the same way you do when using the Find dialog box. Then, do one of the following:

  • To add a rule based on the search criteria you specified, click Add Rule.
  • To select specific objects, click Find Now, select check boxes in the list of search results, and then click Add Selection.
  1. Click Next.
  2. View or change the icon that is used to distinguish the type of the resource in the entitlement profile:
    • View the icon in the area next to the Change button.
    • To choose a different icon, click Change and then select the desired image file.
    • To revert to the default icon, click Use Default Icon.
  3. Type the name of the resource type to be displayed in the entitlement profile.
  4. Click Select to choose the attribute of the entitlement target object whose value will be used to name the resource in the entitlement profile.

    The resource type icon, display name, and naming attribute are used to identify the resource in the entitlement profile. If the evaluation of the entitlement rules for a given user indicates that the user is entitled to the resource, then information about the resource appears as a separate section in the entitlement profile of that user. The heading of the section includes the resource type icon, the display name of the resource type, and the value of the naming attribute retrieved from the entitlement target object.

  1. Click Next.
  2. Set up the list of the resource-related attributes that will be displayed in the entitlement profile:
    • Use the Add or Remove button to add or remove attributes from the list.
    • Click Add Separator to divide the attribute list into sections in the entitlement profile.
    • Use the Up and Down buttons to arrange the attribute list order.

    The attributes held in the list will be displayed in the entitlement profile, beneath the heading of the section that provides information about the resource. For each of the listed attributes, the section displays the name and the value of the attribute retrieved from the entitlement target object.

  1. Click Next, and then click Finish.

Changing entitlement profile specifiers

You can change an existing entitlement profile specifier by changing the specifier’s name and description, entitlement type and rules, resource display settings, and resource attributes list. The entitlement profile specifier objects are located under Configuration/Server Configuration/Entitlement Profile Specifiers in the Active Roles console.

The following table summarizes the changes you can make to an existing entitlement profile specifier object, assuming that you have found the object in the Active Roles console. You can also disable or delete a specifier using the Disable or Delete command on the Action menu. Active Roles disregards the disabled specifiers when building the entitlement profile. A disabled specifier can be re-enabled by using the Enable command that appears on the Action menu for disabled specifiers.

Table 93: Entitlement profile specifier object changes

To change

Do this

Commentary

Name

Right-click the object and click Rename.

The name is used to identify the object, and must be unique among the objects held in the same container.

Description

Right-click the object, click Properties and make the necessary changes on the General tab.

The description is intended to help Active Roles administrators identify the purpose and the function of the object.

Entitlement type

Right-click the object, click Properties, click the Type tab, and then select the appropriate option.

The entitlement type specifies how the user is entitled to the resource. You can choose whether the user is entitled to the resource by means of:

  • User attributes  Entitlement to a personal resource such as a mailbox or home folder, controlled by certain attributes of the user account.
  • Group membership  Entitlement to a shared resource such as a Web application or a network file share via membership in a security group.
  • Manager or owner role assignment Entitlement to act as the manager (primary owner) or a secondary owner of a directory object such as a group, distribution list, or computer.

Entitlement rules

Right-click the object, click Properties, click the Rules tab, and then add, remove, or modify entitlement rules by using the buttons below the rules list.

The entitlement rules are used to determine whether a given user is entitled to the resource. The entitlement rules take the form of conditions that the entitlement target object must meet in order for the user to be regarded as entitled to the resource, and thus for information about the resource to appear in the entitlement profile of that user.

To add or change an entitlement rule, click Include or Exclude depending on the rule type you want, or click View/Edit, and then use the Configure Entitlement Rule dialog box to specify rule conditions. You can do this the same way you use the Find dialog box to configure and run a search. Note that you can change only filter-based rules. If you select an explicit inclusion or exclusion rule the View/Edit button is unavailable. You can use the Remove button to remove a rule of any type.

For more information, see Step 6 in Creating entitlement profile specifiers.

Resource display settings

Right-click the object, click Properties, click the Display tab, and then view or change the icon and display name of the resource type, and the resource naming attribute.

The resource type icon, display name, and naming attribute are used to identify the resource in the entitlement profile. If the evaluation of the entitlement rules for a given user indicates that the user is entitled to the resource, then information about the resource appears as a separate section in the entitlement profile of that user. The heading of the section includes the resource type icon, the display name of the resource type, and the value of the naming attribute retrieved from the entitlement target object.

Resource attributes list

Right-click the object, click Properties, click the Attributes tab, and then add, remove, or change the order of attributes by using the buttons below the attributes list.

The tab lists the attributes of the entitlement target object that will be displayed in the entitlement profile, beneath the heading of the section that provides information about the resource. For each of the listed attributes, the section displays the name and the value of the attribute retrieved from the entitlement target object.

Pre-defined specifiers

Active Roles comes with a collection of pre-defined specifiers that determine the default resource profile configuration. The pre-defined specifiers are located in the Configuration/Server Configuration/Entitlement Profile Specifiers/Builtin container, and can be administered using the Active Roles console. You can make changes to a pre-defined specifier (see Changing entitlement profile specifiers) or you can apply the Disable command for the specifier to have no effect. Note that pre-defined specifiers cannot be deleted.

The pre-defined specifiers have a lower priority than customer-created specifiers. This means the entitlement rules of customer-created specifiers are evaluated first, so that if a given entitlement target object matches the entitlement rules of both a pre-defined specifier and a customer-created specifier, the latter specifier is applied. The priority of specifiers is governed by the edsaPriority attribute setting (see About entitlement profile build process).

The following table provides information about the pre-defined specifiers. For each specifier, the table lists the specifier’s name, description, entitlement type and rules, and resource display settings.

Table 94: Pre-defined specifiers

Name and Description

Type and Rules

Resource Display Settings

Name:
Self - Exchange Mailbox

Description:
Specifies user entitlement to Exchange mailbox.

Type:
Personal resource entitlement

Rules:
Entitlement target object is an Exchange mailbox enabled user account.

Resource type name:
Exchange Mailbox

Resource naming attribute:
mail

Other resource-related attributes:

  • mail
  • homeMDB
  • displayName

Name:
Self - Home Folder

Description:
Specifies user entitlement to home folder.

Type:
Personal resource entitlement

Rules:
Entitlement target object has the homeDirectory attribute set.

Resource type name:
Home Folder

Resource naming attribute:
homeDirectory

Other resource-related attributes:

  • homeDirectory
  • homeDrive

Name:
Self - Unix Account

Description:
Specifies user entitlement to Unix-enabled account.

Type:
Personal resource entitlement

Rules:
Entitlement target object has the uidNumber attribute set AND has a loginShell attribute value other than /bin/false.

Resource type name:
Unix-enabled Account

Resource naming attribute:
userPrincipalName

Other resource-related attributes:

  • userPrincipalName
  • uidNumber
  • gidNumber
  • unixHomeDirectory
  • loginShell

Name:
Self - OCS Account

Description:
Specifies user entitlement to Office Communications Server enabled account.

Type:
Personal resource entitlement

Rules:
Entitlement target object has the msRTCSIP-UserEnabled attribute set to TRUE.

Resource type name:
Enabled for Office Communications Server

Resource naming attribute:
msRTCSIP-PrimaryUserAddress

Other resource-related attributes:

  • msRTCSIP-PrimaryUserAddress
  • edsva-OCS-Pool

Name:
Membership - Member of Security Group

Description:
Specifies entitlement to a resource via membership in a security group.

Type:
Shared resource entitlement

Rules:
Entitlement target object is a security group.

This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the shared resource entitlement type are evaluated prior to the rules of this specifier.

Resource type name:
Member of Security Group

Resource naming attribute:
name

Other resource-related attributes:

  • name
  • displayName
  • description
  • info
  • edsvaResourceURL
  • managedBy
  • edsvaPublished
  • edsvaApprovalByPrimaryOwnerRequired
  • edsvaParentCanonicalName

Name:
Membership - Access to SharePoint Site

Description:
Specifies entitlement to a SharePoint site via membership in a certain security group.

Type:
Shared resource entitlement

Rules:
Entitlement target object is a security group that has the edsva-SP-MirrorType attribute set.

Resource type name:
Access to SharePoint Site

Resource naming attribute:
name

Other resource-related attributes:

  • name
  • edsva-SP-SiteName
  • edsva-SP-SiteURL
  • managedBy
  • edsvaPublished
  • edsvaApprovalByPrimaryOwnerRequired
  • edsvaParentCanonicalName

Name:
Managed By - Owner of Security Group

Description:
Specifies entitlement to the manager or owner role for a security group.

Type:
Managed resource entitlement

Rules:
Entitlement target object is a security group.

Resource type name:
Owner of Security Group

Resource naming attribute:
name

Other resource-related attributes:

  • name
  • displayName
  • description
  • info
  • edsvaResourceURL
  • managedBy
  • edsvaPublished
  • edsvaApprovalByPrimaryOwnerRequired
  • edsvaParentCanonicalName

Name:
Managed By - Owner of Distribution List

Description:
Specifies entitlement to the manager or owner role for a distribution group.

Type:
Managed resource entitlement

Rules:
Entitlement target object is an Exchange mail enabled (distribution) group.

Resource type name:
Owner of Distribution List

Resource naming attribute:
displayName

Other resource-related attributes:

  • displayName
  • mail
  • description
  • info
  • managedBy
  • edsvaPublished
  • edsvaApprovalByPrimaryOwnerRequired
  • edsvaParentCanonicalName

Name:
Managed By - Owner of Resource Exchange Mailbox

Description:
Specifies entitlement to the owner role for a room, equipment, or shared mailbox.

Type:
Managed resource entitlement

Rules:
Entitlement target object is a user account associated with a room, equipment or shared mailbox.

Resource type name:
Owner of Resource Exchange Mailbox

Resource naming attribute:
displayName

Other resource-related attributes:

  • displayName
  • edsva-MsExch-MailboxTypeDescription
  • mail
  • description
  • homeMDB
  • edsvaParentCanonicalName

Name:
Managed By - Owner of Exchange Contact

Description:
Specifies entitlement to the owner role for an Exchange mail contact.

Type:
Managed resource entitlement

Rules:
Entitlement target object is an Exchange mail contact.

Resource type name:
Owner of Exchange Contact

Resource naming attribute:
displayName

Other resource-related attributes:

  • displayName
  • givenName
  • sn
  • mail
  • telephoneNumber
  • company
  • edsvaParentCanonicalName

Name:
Managed By - Owner of Computer

Description:
Specifies entitlement to the manager or owner role for a computer.

Type:
Managed resource entitlement

Rules:
Entitlement target object is a computer account.

Resource type name:
Owner of Computer

Resource naming attribute:
name

Other resource-related attributes:

  • name
  • dNSHostName
  • description
  • operatingSystem
  • edsvaParentCanonicalName

Name:
Managed By - Default

Description:
Default specifier for entitlement to the manager or owner role.

Type:
Managed resource entitlement

Rules:
No rules specified, which means that any object is regarded as matching the entitlement rules of this specifier.

This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the managed resource entitlement type are evaluated prior to the rules of this specifier.

Resource type name:
Owner of <target object class display name>

Resource naming attribute:
name

Other resource-related attributes:

  • name
  • description
  • edsvaParentCanonicalName
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating