Chat now with support
Chat with Support

Active Roles 7.6.3 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only distribution groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Active Roles integration with other One Identity and Quest products Active Roles integration with Duo Active Roles integration with Okta Active Roles Diagnostic Tools Active Roles Add-on Manager

Approval activity

An Approval activity, also referred to as an approval rule, represents a decision point in a workflow that is used to obtain authorization from a person before continuing the workflow. Workflow start conditions determine which operations start the workflow and the approval rules added to the workflow determine who is designated to approve the operation, the required sequence of approvals, and who needs to be notified of approval tasks or decisions.

Active Roles creates an approval task as part of the processing of an approval rule, and assigns the task to the approvers. The approver is expected to complete the task by making a decision to allow or deny the operation. Until the task is completed, the operation remains in a pending state.

The following topics cover the configurable settings specific to an Approval activity.

Approvers and escalation

Approvers are the users or groups of users designated to perform approval tasks. When processing an approval rule, Active Roles creates an approval task and assigns it to the approvers defined by the rule. The state of the task governs the workflow transition: The task must receive the Approve resolution for the operation to pass the approval rule. If the task has received the Reject resolution, the operation is denied and the workflow instance is completed.

Approvers may be selected by browsing the available users and groups, or particular role holders may be designated as approvers. For example, an approval rule can be configured so as to require approval by the manager of the operation requestor or by the manager of the group or container that is affected by the operation.

An approval rule may define two or more approver levels, with each level containing a separate list of approvers. Active Roles uses approver levels when escalating time-limited approval tasks. For each approver level the approval rule can specify a certain time period. If an approver of a given level does not complete the approval task within the specified time period, then Active Roles can assign the task to the approvers of the next level. This process is referred to as escalation.

Each approver level has the following configuration options:

  • List of approvers.  Specifies the users or groups of users that are designated as approvers for the approver level in question.

    A valid approval rule must, at a minimum, specify a list of approvers for the initial approver level. Active Roles first assigns the approval task to the approvers of that level. To enable escalation, a separate list of approvers must be specified for one or more escalation levels.

  • Approval task has no time limit.  When this option is selected, the approval rule does not require that the approvers of the given level complete the approval task within a certain time period.
  • Approval task has a time limit of <number> days <number> hours.  When this option is selected, the approval rule requires that the approvers of the given level complete the approval task within the specified time period.

    If the approval task is not completed within the specified time period, then, depending upon the selected configuration option, the approval rule can either cancel the operation waiting for approval or escalate the approval task. The latter option requires a list of approvers to be specified for the subsequent escalation level.

  • Allow approver to delegate approval task.  When this option is selected, the approver of the given level is allowed to assign the approval task to other persons. On the pages for performing the approval task, the approver can use the Delegate button to select the persons to assign the task to.
  • Allow approver to escalate approval task.  When this option is selected, the approver of the given level is allowed to escalate the approval task. On the pages for performing the approval task, the approver can use the Escalate button to assign the task to the approvers of the subsequent escalation level. This option requires a list of approvers to be specified for the subsequent escalation level.

Request for information

You can configure the Approval activity so that the approver will be requested to supply certain properties of the object when performing the approval task. Suppose the creation of a user is submitted for approval. The approver may be requested to supply certain properties of the user in addition to the properties specified in the creation request. Thus, you may configure the Approval activity to prompt the approver to specify the mailbox database for the mailbox of the user to be created.

It is also possible to configure the Approval activity so that the approver will be requested to review the object properties submitted for approval. One more option is to allow the approver to make changes to those properties.

The pages for configuring an Approval activity in the Active Roles console include the following options related to request for information:

  • Show this instruction to the approver.  When performing the approval task, the approver will see this instruction on the page intended to review, supply, or change the properties that are subject to the approval task. You can supply an instruction on how to perform the task.
  • Request the approver to supply or change these properties.  When performing the approval task, the approver will be prompted to supply or change the properties specified in this option.
  • Show the original request to the approver.  This option adds a separate section on the pages for performing the approval task that lists the properties submitted for approval.
  • Allow the approver to modify the original request.  Unless this option is selected, the approver is only allowed to view the properties submitted for approval. You could select this check box to allow the approver to change those properties.

Customization

You can configure the Approval activity to specify how the approval tasks created by that activity are to be identified in the Approval section of the Web Interface. The Approval section contains a list of approval tasks, with each task identified by a header that provides basic information about the task, including the title of the task and information about the target object of the operation that is subject to approval. The title of the task is located in the middle of the task’s header. The properties that identify the operation target object are displayed above the title of the task.

The pages for configuring an Approval activity in the Active Roles console provide the following customization options related to the header of the approval task:

  • Display this title to identify the approval task.  When performing the approval task, the approver will see this instruction on the page intended to review, supply or change the properties that are subject to the approval task. You can supply an instruction on how to perform the task.
  • Display these properties of the object submitted for approval.  These properties will be displayed in the task's header area on the pages for performing the approval task. You can add properties to help the approver identify the target object of the operation submitted for approval.
  • Display the operation summary in the task header area.  This option extends the approval task’s header area to provide summary information about the changes that are subject to approval, including the type of the changes and the reason for the changes.

You can configure the Approval activity to specify the actions the approver can take on the approval task. On the pages for performing the approval task, in the Approval section of the Web Interface, the task header contains the action buttons that are intended to apply the appropriate resolution to the task, such as Approve or Reject. The action buttons are located at the bottom of the header area. Which buttons are displayed depends upon configuration of the Approval activity.

The pages for configuring an Approval activity in the Active Roles console provide the following customization options related to the action buttons:

  • Customize action buttons.  Action buttons appear on the pages for performing the approval task. Each button applies a certain action to the task. Normally, two built-in buttons, titled Approve and Reject by default, are displayed for each approval task. Other buttons may be displayed depending on the configuration of the approval activity. You can add buttons to create custom actions. Depending on the button’s action type, clicking a custom action button causes the workflow to allow (Complete action type) or deny (Reject action type) the operation that is subject to approval. If-Else activities can refer to a custom action button by the button’s title and elect the appropriate branch of the workflow when the approver clicks that custom action button.
  • Show this instruction for action buttons.  You can use this option to supply an instruction on how to use action buttons. The approver will see this instruction above the action buttons on the pages for performing the approval task.
  • Suppress the confirmation dialog upon completion of approval task.  If this option is not selected, Active Roles requests the approver to fill in a confirmation dialog box every time the approver performs an approval task. You can select this option to prevent the confirmation dialog box from appearing so that the approver can complete the task without having to supply a reason for the completion of the task.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating