Chat now with support
Chat with Support

Active Roles 7.6 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only distribution groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments [[[Missing Linked File System.LinkedTitle]]] Appendix E: Active Roles integration with other One Identity and Quest products Appendix F: Active Roles integration with Duo Appendix G: Active Roles integration with Okta

Group Family

Understanding Group Family

  • You can view or modify the start time and end time settings by managing an object rather than groups in which the object has memberships. Open the Properties dialog box for that object, and then, on the Member Of tab, select the group for which you want to manage the object’s start or end time setting and click Temporal Membership Settings.
  • On the Members or Member Of tab, you can change the start or end time setting for multiple members or groups at a time. From the list on the tab, select two or more items and click Temporal Membership Settings. Then, in the Temporal Membership Settings dialog box, select check boxes to indicate the settings to change and make the changes you want.
  • provides for a separate category of rule-based policies specific to group auto-provision. Each policy of that category, referred to as Group Family, acts as a control mechanism for creating and populating groups.
  • Group Family automatically creates groups and maintains group membership lists in compliance with configurable rules, allowing group membership to be defined as a function of object properties in the directory. Group Family also allows for creation of new groups based on new values encountered in object properties.

For instance, in order to manage groups by geographical location, a Group Family can be configured to create and maintain groups for every value found in the “City” property of user accounts. Group Family discovers all values of that property in the directory and generates a group for each, populating the group with the users that have the same value of the “City” property. If a new value is assigned to the “City” property for some users, Group Family automatically creates a new group for those users. If a user has the value of the “City” property changed, Group Family modifies the group membership for that user accordingly.

The configuration of a Group Family does not have to be limited to a single property of objects. Rather, it can combine as many properties as needed. For example, a Group Family can be set up to look at both the “Department” and “City” properties. As a result, Group Family creates and maintains a separate group for each department in each geographical location.

Design overview

The key design elements of Group Family are as follows:

  • Scoping by object location  This determines the directory containers that hold the objects to be managed by Group Family. The scope of Group Family can be limited to certain containers, thereby causing it to affect only the objects in those containers.
  • Scoping by object type and property  This determines the type of objects, such as User or Computer, to be managed by Group Family. Thus, the scope of Group Family can be limited to a set of objects of a certain type. The scope can be further refined by applying a filter in order for Group Family to manage only those objects that meet certain property-related conditions.
  • Grouping by object property  Group Family breaks up the set of managed objects (scope) into groupings, each of which is comprised of the objects with the same combination of values of the specified properties (referred to as group-by properties). For example, with Department specified as a group-by property for user objects, each grouping only includes the users from a certain department.
  • Creating or capturing groups  For each grouping, Group Family normally creates a new group to associate (link) with the grouping, and ensures the members of the grouping are the only members of that group. When creating groups to accommodate groupings, Group Family uses group naming rules that are based on the values of the group-by properties. Another option is to manually link existing groups with groupings; this operation is referred to as capturing groups.
  • Maintaining group membership lists based on groupings  During each subsequent run of Group Family, the groupings are re-calculated, and their associated groups are updated to reflect the changes in the groupings. This process ensures that the group associated with a given grouping holds exactly the same objects as the grouping. If a new grouping found, Group Family creates a group, links the group to the new grouping, and populates the group membership list with the objects held in that grouping.
  • Adjusting properties of generated groups  When Group Family creates a new group to accommodate a given grouping, the name and other properties of the new group are adjusted in compliance with the rules defined in the Group Family configuration. These rules are also used to determine the container where to create new groups, the group type and scope settings, and Exchange-related settings such as whether to mail-enable the generated groups.
  • Running on a scheduled basis  Group Family is a state-based policy by nature. During each run, it analyses the state of directory data, and performs certain provisioning actions based on the results of that analysis. Group Family can be scheduled to run at regular intervals, ensuring that all the groups are in place and the group membership lists are current and correct. In addition, Group Family can be run manually at any time.
  • Action summary log  Active Roles provides a log containing summary information about the last run of Group Family. The log includes descriptions of the error situations, if any occurred during the run, and summarizes the quantitative results of the run, such as the number of updated groups, the number of created groups, and the number of objects that have group memberships changed.

How it works

The Group Family configuration specifies rules to determine:

  • Scope  The set of directory objects managed by Group Family is referred to as scope. The scope can be limited to objects of a certain category (such as User objects) located in certain organizational units. Filtering can be applied to further refine the scope.
  • Groupings  Group Family divides the scope into sub-sets referred to as groupings. Each grouping consists of objects with the same values of certain properties, referred to as group-by properties. Each grouping is identified by a certain combination of values of the group-by properties, with a list of all the combinations being stored and maintained as part of the Group Family configuration.
  • Group names  Unless otherwise specified, Group Family creates a new group for each new grouping found, with the group name being generated in accordance with the group naming rules. It is also possible to manually assign existing groups to some groupings, causing Group Family to capture those groups.
  • Links  For each grouping, Group Family creates or captures a group, links the group to the grouping, and populates the group with the objects found in the grouping. During each subsequent run, Group Family uses the link information to discover the group linked to the grouping, and updates the membership list of that group to reflect the changes in the grouping. The groups known to Group Family via the link information are referred to as controlled groups.

So, during the first run, Group Family performs as follows:

  1. The scope is calculated and analyzed to build a list of all the existing combinations of values of the group-by properties. The list is then added to the Group Family configuration.
  2. For each combination of values, a grouping is calculated consisting of all objects in the scope that have the group-by properties set to the values derived from that combination.
  3. For each grouping, a group is created or captured, and linked to the grouping. The Group Family configuration is updated with information about those links. Whether to create or capture a group is determined by the Group Family configuration.
  4. For each group linked to a certain grouping (controlled group), the membership list is updated to only include the objects found in that grouping. All the existing members are removed from the group and then all the objects found in the grouping are added to the group.

During a subsequent run, Group Family performs as follows:

  1. The scope is calculated and analyzed to build up a list of all the existing combinations of values of the group-by properties. The Group Family configuration is then updated with that list.
  2. For each combination of values, a grouping is calculated consisting of all objects in the scope that have the group-by properties set to the values derived from that combination.
  3. For each grouping, a link information-based search is performed to discover the group linked to that grouping. If the group has been found, its membership list is updated so the group only includes the objects found in the grouping. Otherwise, a group is created or captured, linked to the grouping, and populated with the objects found in the grouping.

When creating a group to accommodate a given grouping, Group Family uses the group naming rules to generate a name for that group. The rules define a name based on the combination of values of the group-by properties that identifies the grouping. The group naming rules are stored as part of the Group Family configuration.

When capturing an existing group to accommodate a given grouping, Group Family uses a group-to-grouping link created manually and stored as part of the Group Family configuration. The link specifies the combination of values of the group-by properties to identify the grouping, and determines the group to be linked to that grouping.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating