Chat now with support
Chat with Support

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Policy type usage

This is the process of configuring policies. It occurs when an administrator creates a new Policy Object or adds policies to an existing Policy Object. For example, the wizard for creating a Policy Object includes a page that prompts to select a policy. The page lists the policy types defined in Active Roles, including the custom policy types. If a custom policy type is selected, the wizard provides a page for configuring the policy parameters specific to that policy type. Once the wizard is completed, the Policy Object contains a fully functional policy of the selected custom type.

Active Roles provides a graphical user interface, complete with a programming interface, for creating and managing custom policy types. Using those interfaces, Active Roles policies can be extended to meet the needs of a particular environment. Active Roles also has a deployment mechanism by which administrators put new types of policy into operation.

Since policy extension involves two interactions, Active Roles provides solutions in both areas. The Administration Service maintains policy type definitions, exposing policy types to its clients such as the Active Roles Console or ADSI Provider. The Console can be used to:

  • Create a new custom policy type, either from scratch or by importing a policy type that was exported from another environment.

  • Make changes to the definition of an existing custom policy type.

  • Add a policy of a particular custom type to a Policy Object, making the necessary changes to the policy parameters provided for by the policy type definition.

Normally, an Active Roles expert develops a custom policy type in a separate environment, and then exports the policy type to an export file. An Active Roles administrator deploys the policy type in the production environment by importing the export file. After that, the Active Roles Console can be used to configure and apply policies of the new type.

Policy Type objects

The policy extensibility feature is built upon Policy Type objects, each of which represents a single type of policy. Policy Type objects are used within both the policy type deployment and policy type usage processes. The process of deploying a new policy type involves the creation of a Policy Type object. During the process of adding a policy of a custom type, the policy type definition is retrieved from the respective Policy Type object.

Each Policy Type object holds the following data to define a single policy type:

  • Display name: Identifies the policy type represented by the Policy Type object. This name is displayed on the wizard page where you select a policy to configure when creating a new Policy Object or adding a policy to an existing Policy Object.

  • Description: A text describing the policy type. This text is displayed when you select the policy type in the wizard for creating a new Policy Object or in the wizard for adding a policy to an existing Policy Object.

  • Reference to Script Module: Identifies the script to run upon the execution of a policy of this type. When adding a policy of a custom policy type, you effectively create a policy that runs the script from the Script Module specified by the respective Policy Type object.

  • Policy Type category: Identifies the category of Policy Object to which a policy of this type can be added. A policy type may have the category option set to either Provisioning or Deprovisioning, allowing policies of that type to be added to either provisioning or deprovisioning Policy Objects respectively.

  • Function to declare parameters: Identifies the name of the script function that declares the configurable parameters for the administration policy that is based on this policy type. The function must exist in the Script Module selected for the policy type. By default, it is assumed that the parameters are declared by the function named onInit.

  • Policy Type icon: The image that appears next to the display name of the policy type on the wizard page where you select a policy to configure, to help identify and visually distinguish this policy type from the other policy types.

To create a custom policy type, you first need to create a Script Module that holds the policy script. Then, you can create a Policy Type object referring to that Script Module. When you import a policy type, Active Roles automatically creates both the Script Module and the Policy Type object for that policy type. After the Policy Type object has been created, you can add a policy of the new type to a Policy Object.

Creating and managing custom policy types

In Active Roles, Policy Type objects provide the ability to store the definition of a custom policy type in a single object. Policy Type objects can be exported and imported, which makes it easy to distribute custom policies to other environments.

When creating a new Policy Object or adding a policy to an existing Policy Object, an administrator is presented with a list of policy types derived from the Policy Type objects. Selecting a custom policy type from the list causes Active Roles to create a policy based on the settings found in the respective Policy Type object.

This section covers the following tasks specific to custom policy types:

For more information about Policy Type objects, including instructions on scripting for Policy Type objects, refer to the Active Roles SDK.

Creating a Policy Type object

Active Roles stores Policy Type objects in the Policy Types container. You can access that container in the Active Roles Console by expanding the Configuration > Server Configuration branch of the Console tree.

To create a new Policy Type object

  1. In the Console tree, under Configuration/Server Configuration/Policy Types, right-click the Policy Type container in which you want to create a new object, and select New > Policy Type.

    For example, if you want to create a new object in the root container, right-click Policy Types.

  2. In the New Object - Policy Type Wizard, type a name, a display name and, optionally, a description for the new object.

    The display name and description are displayed on the page for selecting a policy, in the wizards that are used to configure Policy Objects.

  3. Click Next.

  4. Click Browse and select the Script Module containing the script that will be run by the policies of this policy type.

    The Script Module must exist under the Configuration/Script Modules container and hold a policy script.

  1. In the Policy Type category area, do one of the following:

    1. Click Provisioning if policies of this type are intended for Policy Objects of the provisioning category.

    2. Click Deprovisioning if policies of this type are intended for Policy Objects of the deprovisioning category.

    The policy types that have the Provisioning option selected appear on the page for selecting a policy in the wizard that is used to create a provisioning Policy Object or to add policies to an existing provisioning Policy Object. The policy types that have the Deprovisioning option selected appear in the wizard for creating a deprovisioning Policy Object or adding policies to such a Policy Object.

  2. From the Function to declare parameters list, select the name of the script function that defines the parameters specific to this type of administration policy.

    The list contains the names of all the functions found in the script you selected in Step 4. Every policy of this type will have the parameters that are specified by the function you select from the Function to declare parameters list. Normally, this is a function named onInit.

  3. Click Policy Type Icon to verify the image that denotes this type of policy. To choose a different image, click Change and open an icon file containing the image you want.

    This image appears next to the display name of the policy type on the wizard page for selecting a policy to configure, to help identify and visually distinguish this policy type from the other policy types.

    The image is stored in the Policy Type object. In the dialog that appears when you click Policy Type Icon, you can view the image that is currently used. To revert to the default image, click Use Default Icon. If the button is unavailable, then the default image is currently used.

  4. Click Next and follow the steps in the wizard to complete the creation of the new Policy Type object.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating