Chat now with support
Chat with Support

Active Roles 8.2 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
About presentation components Overview of service components About network data sources About security and administration elements About Active Directory security management Customization using ADSI Provider and script policies About dynamic groups About workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
About Managed Units About Access Templates About Access Rules About rule-based autoprovisioning and deprovisioning
Configuring and administering Active Roles Overview of Active Roles Synchronization Service Support for AWS Managed Microsoft AD FIPS compliance LSA protection support STIG compliance

About AutoProvisioning in SaaS products

AutoProvisioning in SaaS products policies automate the provisioning of users and groups in the selected SaaS products using Starling Connectors.

Active Roles uses this policy when creating users to provision access to the connected SaaS systems based on the Starling Connectors selected during the configuration of the policy.

For more information on configuring this Policy Object, see Creating a provisioning policy for Starling Connect in the Active Roles Administration Guide.

Overview of Deprovisioning Policy Objects

The Active Roles user interfaces, both Active Roles Console and Web Interface, provide the Deprovision command on user and group objects. This command initiates a request to deprovision the selected objects. When processing the request, Active Roles performs all operations that are set via the configured deprovisioning Policy Objects.

The Deprovision command is available in both the Active Roles Console and Web Interface. By using the Deprovision command, you start the deprovisioning operation on the objects you have selected.

The operation progress and results are displayed in the Deprovisioning Results window. When the operation is completed, the window displays the operation summary, and allows you to examine operation results in detail.

The left pane of the Deprovisioning Results window lists the objects that have been deprovisioned. The right pane displays the operation status and error messages, if any.

To view operation results, select an object in the left pane. The right pane shows a report on all actions taken during the deprovisioning of the selected object.

For more information on configuring deprovisioning policies, see Configuring Policy Objects in the Active Roles Administration Guide.

List of default built-in deprovisioning policy options

The following tables summarize the default deprovisioning policy options. If you do not add, remove, or change deprovisioning policies, Active Roles operates in accordance with these options when carrying out the Deprovision command on a user or group.

The following table summarizes the default deprovisioning policy options for users, defined by the Built-in Policy - User Default Deprovisioning Policy Object.

Table 7: Policy options for users: Built-in Policy - User Default Deprovisioning

Policy

Options

User Account Deprovisioning

  • Disable the user account.

  • Set the user password to a random value.

  • Change the user name to include the suffix deprovisioned followed by the date when the user was deprovisioned.

  • Fill in the user description to state that this user account is deprovisioned.

  • Clear certain properties of the user account, such as city, company, and postal address.

Group Membership Removal

  • Remove the user account from all security groups.

  • Remove the user account from all distribution groups.

Exchange Mailbox Deprovisioning

  • Hide the user mailbox from Exchange address lists, thus preventing access to the mailbox.

Home Folder Deprovisioning

  • Revoke access to the user home folder from the user account.

  • Give the user’s manager read access to the user home folder.

  • Designate Administrators as the home folder owner.

User Account Relocation

  • Do not move the user account from the Organizational Unit in which the account was located at the time of deprovisioning.

User Account Permanent Deletion

  • Do not delete the user account.

The following table summarizes the default deprovisioning policy options for groups, defined by the Built-in Policy - Group Default Deprovisioning Policy Object.

Table 8: Policy options for groups: Built-in Policy - Group Default Deprovisioning

Policy

Options

Group Object Deprovisioning

  • Change the group type from Security to Distribution.

  • Hide the group from the Global Address List (GAL).

  • Change the group name to include the suffix “deprovisioned” followed by the date when the group was deprovisioned.

  • Remove all members from the group.

  • Fill in the group description to state that this group is deprovisioned.

Group Object Relocation

  • Do not move the group from the Organizational Unit in which the group was located at the time of deprovisioning.

Group Object Permanent Deletion

  • Do not delete the group.

For more information on configuring deprovisioning Policy Objects, see Configuring Policy Objects in the Active Roles Administration Guide.

About User Account Deprovisioning

User Account Deprovisioning policies automate the following deprovisioning tasks on user accounts:

  • Disabling the user account.

  • Setting the user password to a random value.

  • Setting the user login names to random values.

  • Renaming the user account.

  • Modifying other properties of the user account (for example, user membership in Managed Units).

After the deprovisioning of the user account is completed, the user will be unable to log in to the network with their credentials.

When processing a request to deprovision a user, Active Roles uses this policy to modify the user’s account so that once the user has been deprovisioned, they cannot log on to the network.

A policy can also be configured to update user accounts. Depending on the policy configuration, each policy-based update results in the following:

  • Certain portions of account information are removed from the directory by resetting specified properties to empty values.

  • Certain properties of user accounts are set to new, non-empty values.

A policy can be configured so that new property values include:

  • Properties of the user account being deprovisioned, retrieved from the directory prior to starting the process of the user deprovisioning.

  • Properties of the user who originated the deprovisioning request.

  • Date and time when the user was deprovisioned.

Thus, when deprovisioning a user, Active Roles modifies the user’s account in Active Directory as determined by the User Account Deprovisioning policy that is in effect.

For more information on configuring this Policy Object, see Configuring a User Account Deprovisioning policy in the Active Roles Administration Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating