Chat now with support
Chat with Support

Active Roles 8.1.5 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Changing entitlement profile specifiers

You can change an existing entitlement profile specifier by changing the specifier’s name and description, entitlement type and rules, resource display settings, and resource attributes list. The entitlement profile specifier objects are located under Configuration > Server Configuration > Entitlement Profile Specifiers in the Active Roles Console.

The following table summarizes the changes you can make to an existing entitlement profile specifier object, assuming that you have found the object in the Active Roles Console. You can also disable or delete a specifier using the Disable or Delete command on the Action menu. Active Roles disregards the disabled specifiers when building the entitlement profile. A disabled specifier can be re-enabled by using the Enable command that appears on the Action menu for disabled specifiers.

Table 81: Entitlement profile specifier object changes

To change

Do this

Commentary

Name

Right-click the object and click Rename.

The name is used to identify the object, and must be unique among the objects held in the same container.

Description

Right-click the object, click Properties and make the necessary changes on the General tab.

The description is intended to help Active Roles administrators identify the purpose and the function of the object.

Entitlement type

Right-click the object, click Properties, click the Type tab, and then select the appropriate option.

The entitlement type specifies how the user is entitled to the resource. You can choose whether the user is entitled to the resource by means of:

  • User attributes: Entitlement to a personal resource such as a mailbox or home folder, controlled by certain attributes of the user account.

  • Group membership: Entitlement to a shared resource such as a web application or a network file share via membership in a security group.

  • Manager or owner role assignment: Entitlement to act as the manager (primary owner) or a secondary owner of a directory object such as a group, distribution list, or computer.

Entitlement rules

Right-click the object, click Properties, click the Rules tab, and then add, remove, or modify entitlement rules by using the buttons below the rules list.

The entitlement rules are used to determine whether a given user is entitled to the resource. The entitlement rules take the form of conditions that the entitlement target object must meet in order for the user to be regarded as entitled to the resource, and thus for information about the resource to appear in the entitlement profile of that user.

To add or change an entitlement rule, click Include or Exclude depending on the rule type you want, or click View/Edit, and then use the Configure Entitlement Rule dialog to specify rule conditions. You can do this the same way you use the Find dialog to configure and run a search. Note that you can change only filter-based rules. If you select an explicit inclusion or exclusion rule the View/Edit button is unavailable. You can use Remove to remove a rule of any type.

For more information, see Step 6 in Creating entitlement profile specifiers.

Resource display settings

Right-click the object, click Properties, click the Display tab, and then view or change the icon and display name of the resource type, and the resource naming attribute.

The resource type icon, display name, and naming attribute are used to identify the resource in the entitlement profile. If the evaluation of the entitlement rules for a given user indicates that the user is entitled to the resource, then information about the resource appears as a separate section in the entitlement profile of that user. The heading of the section includes the resource type icon, the display name of the resource type, and the value of the naming attribute retrieved from the entitlement target object.

Resource attributes list

Right-click the object, click Properties, click the Attributes tab, and then add, remove, or change the order of attributes by using the buttons below the attributes list.

The tab lists the attributes of the entitlement target object that will be displayed in the entitlement profile, beneath the heading of the section that provides information about the resource. For each of the listed attributes, the section displays the name and the value of the attribute retrieved from the entitlement target object.

Predefined specifiers

Active Roles comes with a collection of predefined specifiers that determine the default resource profile configuration. The pre-defined specifiers are located in the Configuration > Server Configuration > Entitlement Profile Specifiers > Builtin container, and can be administered using the Active Roles Console. You can make changes to a predefined specifier (see Changing entitlement profile specifiers) or you can apply the Disable command for the specifier to have no effect.

NOTE: Predefined specifiers cannot be deleted.

The predefined specifiers have a lower priority than customer-created specifiers. This means the entitlement rules of customer-created specifiers are evaluated first, so that if a given entitlement target object matches the entitlement rules of both a predefined specifier and a customer-created specifier, the latter specifier is applied. The priority of specifiers is governed by the edsaPriority attribute setting. For more information, see About entitlement profile build process.

The following table provides information about the predefined specifiers. For each specifier, the table lists the specifier’s name, description, entitlement type and rules, and resource display settings.

Table 82: Predefined specifiers

Name and Description

Type and Rules

Resource Display Settings

Name: Self - Exchange Mailbox

Description: Specifies user entitlement to Exchange mailbox.

Type: Personal resource entitlement

Rules: Entitlement target object is an Exchange mailbox enabled user account.

Resource type name: Exchange Mailbox

Resource naming attribute: mail

Other resource-related attributes:

  • mail

  • homeMDB

  • displayName

Name: Self - Home Folder

Description: Specifies user entitlement to home folder.

Type: Personal resource entitlement

Rules: Entitlement target object has the homeDirectory attribute set.

Resource type name: Home Folder

Resource naming attribute: homeDirectory

Other resource-related attributes:

  • homeDirectory

  • homeDrive

Name: Self - Unix Account

Description: Specifies user entitlement to Unix-enabled account.

Type: Personal resource entitlement

Rules: Entitlement target object has the uidNumber attribute set AND has a loginShell attribute value other than /bin/false.

Resource type name: Unix-enabled Account

Resource naming attribute: userPrincipalName

Other resource-related attributes:

  • userPrincipalName

  • uidNumber

  • gidNumber

  • unixHomeDirectory

  • loginShell

Name: Self - OCS Account

Description: Specifies user entitlement to Office Communications Server enabled account.

Type: Personal resource entitlement

Rules: Entitlement target object has the msRTCSIP-UserEnabled attribute set to TRUE.

Resource type name: Enabled for Office Communications Server

Resource naming attribute: msRTCSIP-PrimaryUserAddress

Other resource-related attributes:

  • msRTCSIP-PrimaryUserAddress

  • edsva-OCS-Pool

Name: Membership - Member of Security Group

Description: Specifies entitlement to a resource via membership in a security group.

Type: Shared resource entitlement

Rules: Entitlement target object is a security group.

This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the shared resource entitlement type are evaluated prior to the rules of this specifier.

Resource type name: Member of Security Group

Resource naming attribute: name

Other resource-related attributes:

  • name

  • displayName

  • description

  • info

  • edsvaResourceURL

  • managedBy

  • edsvaPublished

  • edsvaApprovalByPrimaryOwnerRequired

  • edsvaParentCanonicalName

Name: Membership - Access to SharePoint Site

Description: Specifies entitlement to a SharePoint site via membership in a certain security group.

Type: Shared resource entitlement

Rules: Entitlement target object is a security group that has the edsva-SP-MirrorType attribute set.

Resource type name: Access to SharePoint Site

Resource naming attribute: name

Other resource-related attributes:

  • name

  • edsva-SP-SiteName

  • edsva-SP-SiteURL

  • managedBy

  • edsvaPublished

  • edsvaApprovalByPrimaryOwnerRequired

  • edsvaParentCanonicalName

Name: Managed By - Owner of Security Group

Description: Specifies entitlement to the manager or owner role for a security group.

Type: Managed resource entitlement

Rules: Entitlement target object is a security group.

Resource type name: Owner of Security Group

Resource naming attribute: name

Other resource-related attributes:

  • name

  • displayName

  • description

  • info

  • edsvaResourceURL

  • managedBy

  • edsvaPublished

  • edsvaApprovalByPrimaryOwnerRequired

  • edsvaParentCanonicalName

Name: Managed By - Owner of Distribution List

Description: Specifies entitlement to the manager or owner role for a distribution group.

Type: Managed resource entitlement

Rules: Entitlement target object is an Exchange mail enabled (distribution) group.

Resource type name: Owner of Distribution List

Resource naming attribute: displayName

Other resource-related attributes:

  • displayName

  • mail

  • description

  • info

  • managedBy

  • edsvaPublished

  • edsvaApprovalByPrimaryOwnerRequired

  • edsvaParentCanonicalName

Name: Managed By - Owner of Resource Exchange Mailbox

Description: Specifies entitlement to the owner role for a room, equipment, or shared mailbox.

Type: Managed resource entitlement

Rules: Entitlement target object is a user account associated with a room, equipment or shared mailbox.

Resource type name: Owner of Resource Exchange Mailbox

Resource naming attribute: displayName

Other resource-related attributes:

  • displayName

  • edsva-MsExch-MailboxTypeDescription

  • mail

  • description

  • homeMDB

  • edsvaParentCanonicalName

Name: Managed By - Owner of Exchange Contact

Description: Specifies entitlement to the owner role for an Exchange mail contact.

Type: Managed resource entitlement

Rules: Entitlement target object is an Exchange mail contact.

Resource type name: Owner of Exchange Contact

Resource naming attribute: displayName

Other resource-related attributes:

  • displayName

  • givenName

  • sn

  • mail

  • telephoneNumber

  • company

  • edsvaParentCanonicalName

Name: Managed By - Owner of Computer

Description: Specifies entitlement to the manager or owner role for a computer.

Type: Managed resource entitlement

Rules: Entitlement target object is a computer account.

Resource type name: Owner of Computer

Resource naming attribute: name

Other resource-related attributes:

  • name

  • dNSHostName

  • description

  • operatingSystem

  • edsvaParentCanonicalName

Name: Managed By - Default

Description: Default specifier for entitlement to the manager or owner role.

Type: Managed resource entitlement

Rules: No rules specified, which means that any object is regarded as matching the entitlement rules of this specifier.

This specifier has the lowest priority as per the edsaPriority attribute setting, so the entitlement rules of any other specifier of the managed resource entitlement type are evaluated prior to the rules of this specifier.

Resource type name: Owner of <target object class display name>

Resource naming attribute: name

Other resource-related attributes:

  • name

  • description

  • edsvaParentCanonicalName

Viewing entitlement profile

A user’s entitlement profile can be accessed from the Active Roles Console or Web Interface, allowing you to quickly examine resources to which the user is entitled:

  • In the Console, right-click the user and click Entitlement Profile. Alternatively, click Entitlement Profile on the Managed Resources tab in the Properties dialog for the user account.

  • In the Web Interface, click the user, and then choose Entitlement Profile from the list of commands.

This opens the Entitlement Profile page that lists the user’s resources grouped in expandable blocks by resource type. Each block may be a section that represents a single resource, or it may comprise a number of sections each of which represents a single resource. The grouping of sections occurs for resources of the same type. For example, the security groups in which the user has membership may be grouped together in a single block, with each group being represented by a separate section.

Initially, each block or section displays only a heading that includes the following items:

  • Resource icon: Graphics that helps distinguish the type of the resource.

  • Resource type: Text string that identifies the type of the resource.

  • Resource name: Text string that identifies the name of the resource, or indicates that the block comprises multiple resource-specific sections.

To view resource details, click the heading of a block or section.

Out of the box, Active Roles is configured so that a user’s entitlement profile displays the user’s entitlements to the resources listed in the table that follows. Active Roles administrators can configure the entitlement profile to display information about additional resources. If a user is not entitled to any resources of a particular type, then the user’s entitlement profile does not contain the sections specific to that resource type. For example, if a user does not have an Exchange mailbox, then the user’s entitlement profile does not contain information about the user’s mailbox.

Table 83: User resources

Resource Type

Resource Name

Resource Details

Exchange Mailbox

E-mail address of mailbox

  • E-mail address

  • Mailbox store or database location

  • Mailbox user’s display name

Home Folder

Path and name of home folder

  • Path and name of home folder

  • Drive letter assigned to home folder

Unix-enabled Account

User principal name

  • User principal name

  • Unix user ID (UID)

  • Unix primary group ID (GID)

  • Unix home directory

  • Unix login shell

Enabled for Office Communications Server

Live communications address

  • Live communications address

  • Office Communications server or pool

Member of Security Group

Group name

  • Group name

  • Group display name

  • Group description

  • Group notes

  • Resource address (URL)

  • Group’s "Managed By" setting

  • Group’s "Is Published" setting

  • Group’s "Approval by Primary Owner Required" setting

  • Group location ("In Folder" setting)

Access to SharePoint Site

Group name

  • Group name

  • SharePoint site name

  • SharePoint site address (URL)

  • Group’s "Managed By" setting

  • Group’s "Is Published" setting

  • Group’s "Approval by Primary Owner Required" setting

  • Group location (group’s "In Folder" setting)

Owner of Security Group

Group name

  • Group name

  • Group display name

  • Group description

  • Group notes

  • Resource address (URL)

  • Group’s "Managed By" setting

  • Group’s "Is Published" setting

  • Group’s "Approval by Primary Owner Required" setting

  • Group location ("In Folder" setting)

Owner of Distribution List

Group display name

  • Group display name

  • Group e-mail address

  • Group description

  • Group notes

  • Group’s "Managed By" setting

  • Group’s "Is Published" setting

  • Group’s "Approval by Primary Owner Required" setting

  • Group location ("In Folder" setting)

Owner of Resource Exchange Mailbox

Mailbox display name

  • Mailbox display name

  • Mailbox type

  • E-mail address

  • Mailbox store or database location

  • Mailbox description

  • Mailbox location ("In Folder" setting)

Owner of Exchange Contact

Contact display name

  • Display name

  • First name

  • Last name

  • E-mail address

  • Telephone number

  • Company

  • Location ("In Folder" setting)

Owner of Computer

Computer name

  • Computer name

  • Computer DNS name

  • Computer description

  • Operating system

  • Location ("In Folder" setting)

Owner of Resource (default)

Managed object’s name

  • Managed object’s name

  • Managed object’s description

  • Managed object’s location ("In Folder" setting)

Authorizing access to entitlement profile

By default, permission to view the entitlement profile is given to Active Roles Admin, the administrative account or group specified during Active Roles installation. Other users or groups can also be permitted to view the entitlement profile. A dedicated Access Template is provided for this purpose so that you can allow the use of the Entitlement Profile command by designated users or user groups.

To permit particular users or groups to view the entitlement profile of the users held in a certain container, such as an Organizational Unit or a Managed Unit, apply the Access Template as follows.

To authorize access to the entitlement profile

  1. In the Active Roles Console, right-click the container and click Delegate Control to display the Active Roles Security window.

  2. In the Active Roles Security window, click Add to start the Delegation of Control Wizard.

  3. In the wizard, click Next.

  4. On the Users or Groups page, click Add, and then select the desired users or groups.

  5. Click Next.

  6. On the Access Templates page, expand the Active Directory > Advanced folder, and then select the check box next to Users - View Entitlement Profile (Extended Right).

  7. Click Next and follow the instructions in the wizard, accepting the default settings.

After you complete these steps, the users and groups you selected in Step 4 are authorized to view the entitlement profile of the users held in the container you selected in Step 1, as well as in any sub-container of that container.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating