Chat now with support
Chat with Support

Active Roles 8.2.1 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Applying Access Templates

You can apply ATs to an AD object with the Delegation of Control Wizard. To start the wizard, navigate to either:

  • The AT you want to apply on an AD object. When you start the Delegation of Control Wizard this way, you can select the securable AD objects for which the access is granted, and the trustees who receive the access to those securable objects.

    For the steps of this procedure, see Applying an Access Template directly.

  • The securable AD object (container, Managed Unit or leaf object) whose access and administration permissions you want to configure. When you start the Delegation of Control Wizard this way, you can select the trustees who receive the access to the securable object and the ATs defining the permissions of the trustees to the securable object.

    For the steps of this procedure, see Applying Access Templates on a securable object.

  • The trustee for which you want to assign permissions. When you start the Delegation of Control Wizard this way, you can select the securable AD object to which the trustee will receive access and the ATs defining the permissions of the trustee to the securable object.

    For the steps of this procedure, see Applying Access Templates on a user or group.

NOTE: ATs support propagating their permission settings for the child objects of the securable objects too.

TIP: For more technical details about how Active Roles applies permissions with Access Templates, see Applying permissions with Access Template in the Active Roles Feature Guide.

Applying an Access Template directly

You can configure permissions for a trustee to a securable Active Directory (AD) object via an Access Template (AT) by selecting the AT directly in the Active Roles Console.

To apply an Access Template on a trustee or trustees

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to Configuration > Access Templates.

  2. Right-click the AT you want to assign to a trustee (or trustees), then click Links.

    TIP: For more information on the ATs, see the Description of the AT or the Active Roles Built-in Access Templates Reference Guide document.

  3. In the Links dialog, to start the Delegation of Control Wizard, click Add. Click Next on the Welcome page, when it appears.

  4. In the Objects step, specify the securable objects that you want to add to the scope of the AT.

    • To specify a new securable object or objects, click Add. Then, in the Select Objects window, locate and select the securable objects you want to add to the scope of the AT, and click Add.

      Once you finalized the list, to close the Select Objects window and apply your selection, click OK.

      TIP: If no securable objects appear in the window, use the Click here to display objects link.

      Figure 8: Delegation of Control Wizard – Select objects window when specifying securable objects

      Figure 9: Delegation of Control Wizard – Selecting securable objects

    • To remove securable objects added earlier to the scope of the AT, select them in the Objects step, and click Remove.

    To continue, click Next.

  5. In the Users or Groups step, specify the trustee(s) for which you want to grant the permissions of the AT.

    • To specify a new trustee or new trustees, click Add. Then, in the Select Objects window, locate and select the users or groups you want to add to the scope of the AT, and click Add. Once you finalized the list, to close the Select Objects window and apply your selection, click OK.

      TIP: If no users or groups appear in the window, use the Click here to display objects link.

      Figure 10: Delegation of Control Wizard – Select Objects window when specifying trustees

      Figure 11: Delegation of Control Wizard – Selecting trustees

    • To remove existing trustees added earlier to the scope of the AT, select them in the Users or Groups step, and click Remove.

    To continue, click Next.

  6. In the Inheritance Options step, specify with the Apply permissions onto setting the scope of securable objects to which Active Roles applies the permissions of the AT:

    • This directory object: Trustees receive the AT permissions only to the selected securable object.

    • Child objects of this directory object: Trustees receive the AT permissions to the children of the securable object. To limit the granted permissions only to the direct children of the object, select Immediate child objects only as well.

    Figure 12: Delegation of Control Wizard- Inheritance Options

    To continue, click Next.

  7. In the Permissions Propagation step, to synchronize the configured permission settings to the native Active Directory (AD) access controls, select Propagate permissions to Active Directory.

    Figure 13: Delegation of Control Wizard – Permissions propagation

    Selecting this setting will modify the authorization information of the AD objects with the permission settings defined in Active Roles, providing more flexibility for users and groups that use native AD management tools besides Active Roles.

    IMPORTANT: Selecting this setting will result in trustees keeping their configured permissions outside of the Active Roles environment, with the potential risk of bypassing policies configured and enforced with Active Roles.

    Therefore, select this option only if the selected trustees have the required security clearance and/or meet all security guidelines in effect within your organization.

    TIP: Once Propagate permissions to Active Directory is selected and configured, you can change this setting at any time with the Active Roles Security > Sync to AD setting, or with the Advanced Details > Sync to AD setting. For more information, see Synchronizing permissions to Active Directory.

    To continue, click Next.

  8. To complete the wizard, click Finish.

Applying Access Templates on a securable object

You can configure permissions for a trustee (or trustees) to a securable Active Directory (AD) object via Access Templates (ATs) by selecting the securable object in the Active Roles Console.

To configure permissions with an Access Template from a securable object

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to the securable object for which you want to configure an AT.

  2. To open the Delegation of Control Wizard from the securable object:

    • If the securable object is a container or Managed Unit, right-click the object, then click Delegate Control > Add.

    • If the securable object is a leaf object, right-click the object and click Properties. Then, in the Properties window, click Administration > Security > Add.

    When the Welcome screen of the Delegation of Control Wizard appears, click Next.

  3. In the Users or Groups step, specify the trustee(s) for which you want to grant the permissions of the AT.

    • To specify a new trustee or new trustees, click Add. Then, in the Select Objects window, locate and select the users or groups you want to add to the scope of the AT, and click Add. Once you finalized the list, to close the Select Objects window and apply your selection, click OK.

      TIP: If no users or groups appear in the window, use the Click here to display objects link.

      Figure 14: Delegation of Control Wizard – Select Objects window when specifying trustees

      Figure 15: Delegation of Control Wizard – Selecting trustees

    • To remove existing trustees added earlier to the scope of the AT, select them in the Users or Groups step, and click Remove.

    To continue, click Next.

  4. In the Access Templates step, specify the ATs you want to assign to the selected trustees for the configured securable object. Expand the containers of the ATs, then select the AT or ATs you want to apply.

    Figure 16: Delegation of Control Wizard – Selecting Access Templates

    To continue, click Next.

  5. In the Inheritance Options step, specify with the Apply permissions onto setting the scope of securable objects to which Active Roles applies the permissions of the AT:

    • This directory object: Trustees receive the AT permissions only to the selected securable object.

    • Child objects of this directory object: Trustees receive the AT permissions to the children of the securable object. To limit the granted permissions only to the direct children of the object, select Immediate child objects only as well.

    Figure 17: Delegation of Control Wizard- Inheritance Options

    To continue, click Next.

  6. In the Permissions Propagation step, to synchronize the configured permission settings to the native Active Directory (AD) access controls, select Propagate permissions to Active Directory.

    Figure 18: Delegation of Control Wizard – Permissions propagation

    Selecting this setting will modify the authorization information of the AD objects with the permission settings defined in Active Roles, providing more flexibility for users and groups that use native AD management tools besides Active Roles.

    IMPORTANT: Selecting this setting will result in trustees keeping their configured permissions outside of the Active Roles environment, with the potential risk of bypassing policies configured and enforced with Active Roles.

    Therefore, select this option only if the selected trustees have the required security clearance and/or meet all security guidelines in effect within your organization.

    TIP: Once Propagate permissions to Active Directory is selected and configured, you can change this setting at any time with the Active Roles Security > Sync to AD setting, or with the Advanced Details > Sync to AD setting. For more information, see Synchronizing permissions to Active Directory.

    To continue, click Next.

  7. To complete the wizard, click Finish.

Applying Access Templates on a user or group

You can configure permissions for a trustee (typically a user or group) to a securable Active Directory (AD) object via Access Templates (ATs) by selecting the trustee in the Active Roles Console.

To configure permissions with an Access Template from a trustee

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to the trustee AD object (such as a user or group) for which you want to configure access with an AT or ATs to a securable object.

  2. To open the Delegation of Control Wizard, right-click the trustee, then click Delegated Rights > Add.

    When the Welcome screen appears, click Next.

  3. In the Objects step, specify the securable objects that you want to add to the scope of the AT.

    • To specify a new securable object or objects, click Add. Then, in the Select Objects window, locate and select the securable objects you want to add to the scope of the AT, and click Add.

      Once you finalized the list, to close the Select Objects window and apply your selection, click OK.

      TIP: If no securable objects appear in the window, use the Click here to display objects link.

      Figure 19: Delegation of Control Wizard – Select objects window when specifying securable objects

      Figure 20: Delegation of Control Wizard – Selecting securable objects

    • To remove securable objects added earlier to the scope of the AT, select them in the Objects step, and click Remove.

    To continue, click Next.

  4. In the Access Templates step, specify the ATs you want to assign to the selected trustees for the configured securable object. Expand the containers of the ATs, then select the AT or ATs you want to apply.

    Figure 21: Delegation of Control Wizard – Selecting Access Templates

    To continue, click Next.

  5. In the Inheritance Options step, specify with the Apply permissions onto setting the scope of securable objects to which Active Roles applies the permissions of the AT:

    • This directory object: Trustees receive the AT permissions only to the selected securable object.

    • Child objects of this directory object: Trustees receive the AT permissions to the children of the securable object. To limit the granted permissions only to the direct children of the object, select Immediate child objects only as well.

    Figure 22: Delegation of Control Wizard- Inheritance Options

    To continue, click Next.

  6. In the Permissions Propagation step, to synchronize the configured permission settings to the native Active Directory (AD) access controls, select Propagate permissions to Active Directory.

    Figure 23: Delegation of Control Wizard – Permissions propagation

    Selecting this setting will modify the authorization information of the AD objects with the permission settings defined in Active Roles, providing more flexibility for users and groups that use native AD management tools besides Active Roles.

    IMPORTANT: Selecting this setting will result in trustees keeping their configured permissions outside of the Active Roles environment, with the potential risk of bypassing policies configured and enforced with Active Roles.

    Therefore, select this option only if the selected trustees have the required security clearance and/or meet all security guidelines in effect within your organization.

    TIP: Once Propagate permissions to Active Directory is selected and configured, you can change this setting at any time with the Active Roles Security > Sync to AD setting, or with the Advanced Details > Sync to AD setting. For more information, see Synchronizing permissions to Active Directory.

    To continue, click Next.

  7. To complete the wizard, click Finish.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating