Chat now with support
Chat with Support

We are currently experiencing a OneLogin Outage within the US region, please consult https://www.onelogin.com/status for further details.

Active Roles 8.1.3 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Configuring a Managed Unit to hide specific Azure users

To set up a highly-granular Azure user access logic, first you must configure a Managed Unit (MU) that will contain the Azure users that cannot be read by the affected helpdesk users.

In this example, the membership of the MU is configured via a query, specifying that only Azure users reporting to a specific manager (in this example, Sam Smith) are included in the MU. For more information on the available membership rule options for MUs, see Creating a Managed Unit.

To configure a Managed Unit to hide specific Azure users

  1. In the Active Roles Console, on the Console tree, navigate to Configuration > Managed Units.

  2. To create a new container for the configured MU, right-click on the Managed Units node, then click New > Managed Unit Container.

    Figure 89: Active Roles Console – Launching the Managed Unit Container dialog

  3. In the Managed Unit Container dialog, specify a Name, and optionally, a Description for the new MU container.

    This example uses the following container settings:

    • Name: Denied-Azure-Resources

    • Description: Managed Units for the granular denial of Azure resources.

  4. To create the new container, click Next then Finish.

  5. To start configuring the new MU, right-click the newly-created Denied-Azure-Resources container, then click New > Managed Unit.

  6. In the New Object - Managed Unit dialog, specify a Name, and optionally, a Description for the new MU.

    This example uses the following MU settings:

    • Name: Denied-Azure-Users

    • Description: Managed Unit for the granular denial of Azure users.

    To continue, click Next.

  7. To specify a new membership rule for the MU, in the Membership rule step, click Add.

  8. In the Membership Rule Type dialog, select the rule type used to populate the MU. This example uses the Include by Query rule type. Select it, then click Next.

    Figure 90: New Managed Unit – Selecting the Include by Query membership rule type

  9. In the Create Membership Rule dialog, configure the query by which Active Roles will dynamically populate the MU with Azure users. This example uses the following settings:

    • In the Find drop-down list, select Azure User.

    • Under the Advanced tab, click Field, and select the edsaAzureManager attribute.

      TIP: If you cannot find the attribute in the list, select Show all possible properties.

    • In Condition, select Is (exactly).

    • In Value, specify the manager Azure user (in this example, Sam Smith) by clicking the (Browse) button and selecting it from the Azure Users container. Once selected, the distinguished name of the Azure user appears in the Value text box.

      Figure 91: New Managed Unit – Configuring the Include by Query membership rule type

  10. To verify that the configured rule works properly, click Preview Rule. If Active Roles asks if you want to add the current criteria to your search, click OK. Active Roles then adds and immediately tests the membership rule for the MU, and the users reporting to Sam Smith must appear in the list. If the results look correct, click OK.

  11. To finish creating the MU, click Next, then Next again in the Object Security / Policy Object step, and finally Finish.

  12. To verify that the MU is populated correctly, select the newly-created MU in the Console Tree. The Azure users reporting to Sam Smith must appear in the Active Roles Console.

Configuring an Access Template to hide Azure users

Once you set up the Managed Unit (MU) as described in Configuring a Managed Unit to hide specific Azure users, you must create an Access Template (AT) that denies the read access of the affected helpdesk users to the Azure users included in that MU.

To create the AT, perform the following steps. For more information on creating ATs in general, see Creating an Access Template.

To deny access to the Azure users of a Managed Unit with an Access Template

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to Configuration > Access Templates.

  2. Create a new container where you will store the AT. In this example, the container is created in the Azure sub-container of the Access Templates node. Right-click Access Templates > Azure, then click New > Access Template Container.

    Figure 92: Active Roles Console – Launching the Access Templates Container dialog

  3. In the Access Templates Container dialog, specify a Name, and optionally, a Description for the new AT container.

    • Name: Denied-Azure-Resources

    • Description: Access Templates for the granular access of Azure resources.

  4. To create the new container, click Next then Finish.

  5. To start configuring the new AT, right-click the Denied-Azure-Resources container, then click New > Access Template.

  6. In the New Object - Access Template dialog, specify a Name, and optionally, a Description for the new AT.

    • Name: DenyAzureUsers

    • Description: AT to deny access to the specified Azure users.

    To continue, click Next.

  7. In the Access Template permission entries step, click Add. Then, in the Add Permission Entries Wizard, select Only the following classes, and select EDS-Azure-User from the list. To continue, click Next.

    Figure 93: New Access Template – Selecting the Azure user object class to deny general access to them

    TIP: If you cannot find the class in the list, select Show all possible classes.

  8. In the Select permission category step, select Deny permission, then click Finish. The permission then appears in the Access Template permission entries step of the New Object - Access Template dialog.

    Figure 94: New Access Template – Verifying the deny permission

  9. To finish creating the AT, click Next, then Finish.

  10. Assign the newly-created AT to the helpdesk users whose access you want to restrict. To do so, check if the Advanced Details Pane option of the Active Roles Console is selected. If not, open View, and select Advanced Details Pane.

  11. To start the Delegation of Control Wizard, select the newly-created DenyAzureUsers AT, then right-click in the Advanced Details Pane, and click Add.

    Figure 95: Active Roles Console – Launching the Delegation of Control Wizard from the Advanced Details Pane

  12. In the Objects step of the wizard, click Add. Then, in the Select Objects dialog, Browse for the Denied-Azure-Resources Managed Unit Container that you created in Configuring a Managed Unit to hide specific Azure users, and select the Denied-Azure-Users MU as the object managed by the AT. To add the Denied-Azure-Users MU to the list of managed objects, click Add, then click OK.

    Figure 96: Delegation of Control Wizard – Selecting the Managed Unit as an administered object

    To continue, in the Objects step, click Next.

  13. In the Users or Groups step, click Add, then select the users to which you want to delegate the permission. In this example, the AT is delegated to the Helpdesk group of an example Organizational Unit (OU). To add the group, click Add, then click OK.

    Figure 97: Delegation of Control Wizard – Selecting the Helpdesk group as Trustee

    To continue, in the Users or Groups step, click Next.

  14. In the Inheritance Options step, make sure that the This directory object and Child objects of this directory object settings are selected. To continue, click Next.

  15. In the Permissions Propagation step, leave the Propagate permissions to Active Directory setting in its default state. To continue, click Next.

  16. To complete the wizard, click Finish.

Enabling or disabling the granular access to Azure users

Once you configured the Managed Unit (MU) of the Azure users, and set up the Access Template (AT) to deny access to those Azure users, the Helpdesk group to which the AT is assigned can no longer read the Azure users included in the MU. Instead, when opening the list of Azure Users on the Active Roles Web Interface, the Azure users included in the MU will be hidden from the Helpdesk group members.

This behavior is dynamic: adding new Azure users into the MU in the Active Roles Console will result in those Azure users disappearing in the Active Roles Web Interface for the affected helpdesk users once the changes of the Console are synchronized to the Web Interface. Likewise, removing an Azure user from the MU will result in that Azure user appearing for the affected helpdesk users in the Web Interface.

You can easily enable or disable the configured granular access later for the affected helpdesk users by enabling or disabling the AT.

To enable or disable the configured granular access to Azure users

  1. In the Active Roles Console, on the Console Tree, navigate to Configuration > Access Templates > Denied Azure Resources.

  2. Select the DenyAzureUsers AT.

  3. In the Advanced Details Pane, right-click the configured link, and click Disable.

    Figure 98: Active Roles Console – Disabling the configured Access Template

    TIP: If the Advanced Details Pane does not appear for you, click View > Advanced Details Pane.

    Once the AT is disabled, the Azure users included in the associated Denied-Azure-Users MU will appear in the Web Interface for the users to which the AT is assigned.

  4. (Optional) To re-enable the AT, right-click the configured link again, and click Enable.

Example: Configuring high granularity by showing only specific Azure users

This scenario describes how to use the Managed Units (MUs) and Access Templates (ATs) of the Active Roles Console together to configure Azure user administration permissions with high granularity. In this example, the MUs and ATs are used to grant a group of helpdesk users read access only to a specific group of Azure users. You can achieve this by:

  1. Configuring an MU containing all the Azure users that the helpdesk users should access. For more information on this procedure, see Configuring a Managed Unit for specific Azure users.

  2. Configuring an AT to grant access only to those Azure users for the helpdesk users. For more information on this procedure, see Configuring Access Templates to read specific Azure users.

Prerequisites

To configure this example scenario, your organization must meet the following requirements:

  • To create MUs and ATs in the Active Roles Console, you must use an Active Roles Administration Service account. For more information, see Configuring the Administration Service account in the Active Roles Quick Start Guide.

  • The organization must already have one or more Azure tenants configured and consented for use with Active Roles. For more information, see Configuring a new Azure tenant and consenting Active Roles as an Azure application.

  • The users receiving the configured permissions must be on-premises or hybrid Active Directory users. You cannot delegate the configured granular permission to cloud-only Azure users.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating