Chat now with support
Chat with Support

Identity Manager 8.1.5 - Administration Guide for Active Roles Integration

One Identity Manager Service access permissions required for synchronizing using Active Roles

It is recommended that you set up a special user account for Active Directory, which is used for connecting to Active Roles through the One Identity Manager Service. Use Active Roles Access Templates for the configuration. By using Access Templates, you delegate administration-relevant permissions to an Active Directory user account but without issuing the permissions directly in Active Directory. For more information about Active Roles Access Templates, see your One Identity Active Roles documentation documentation.

The following Access Templates are suggested for delegating permissions:

  • All Objects - Read All Properties
  • All Objects - Full Control

One Identity Manager works without controlling Active Roles workflows.

To avoid existing Active Roles workflows, you must add the One Identity Manager Service's user account to the Active Roles administrators group.

  • Up to and including Active Roles version 6.9, the administrative group is created during installation of Active Roles. The name of the group is saved in the registry database under:

    • Registration key: HKEY_Local_Machine\Software\Aelita\Enterprise Directory Manager

    • Value: DSAdministrators

  • As from Active Roles version 7.0, you edit the Active Roles Admins in the Active Roles Configuration Center. If a user account is entered in the Active Roles Configuration Center as an Active Roles Admin, the One Identity Manager Service must use this user account. For more information about editing the group or the user account for administrative access, see your One Identity Active Roles documentation.

Related topics

Setting up the synchronization server

To set up synchronization with an Active Directory environment, a server with the following software installation must be available:

  • Windows operating system

    The following versions are supported:

    • Windows Server 2008 R2 (non-Itanium based 64-bit) service pack 1 or later

    • Windows Server 2012

    • Windows Server 2012 R2

    • Windows Server 2016

    • Windows Server 2019

  • Microsoft .NET Framework Version 4.7.2 or later

    NOTE: Take the target system manufacturer's recommendations into account.

  • Windows Installer

  • One Identity Active Roles Management Shell for Active Directory (x64)

    On 32-bit operating systems, use the Active Roles Management Shell for Active Directory (x86) package.

    For installation instructions, refer to your One Identity Active Roles documentation.

  • The following packages must be subsequently installed from the Active Roles installation medium:

    On 32-bit systems:

    • <source>\Redistributables\vc_redist.x86.exe

    • <source>\Components\ActiveRoles ADSI Provider\ADSI_x86.msi

    On 64-bit systems:

    • <source>\Redistributables\vc_redist.x64.exe

    • <source>\Components\ActiveRoles ADSI Provider\ADSI_x64.msi

  • Furthermore, it is necessary that connections can be established from the Job server to the Active Roles server over the 15172 port. If necessary, a firewall rule must be set up on the Active Roles server.

  • One Identity Manager Service, Active Roles connector

    • Install One Identity Manager components with the installation wizard.

      1. Select Select installation modules with existing database.

      2. Select the Server | Job server | Active Directory machine role.

    Note: For existing Active Roles installations:

    The One Identity Manager Service can be installed on a server using Active Roles.

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server. The synchronization server must be declared as a Job server in One Identity Manager.

Use the One Identity Manager Service to install the Server Installer. The program executes the following steps:

  • Sets up a Job server.

  • Specifies machine roles and server function for the Job server.

  • Remotely installs One Identity Manager Service components corresponding to the machine roles.

  • Configures the One Identity Manager Service.

  • Starts the One Identity Manager Service.

NOTE: To generate processes for the Job server, you need the provider, connection parameters, and the authentication data. By default, this information is determined from the database connection data. If the Job server runs through an application server, you must configure extra connection data in the Designer. For detailed information about setting up Job servers, see the One Identity Manager Configuration Guide.

NOTE: The program performs a remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Remote installation is only supported within a domain or a trusted domain.

To remotely install the One Identity Manager Service, you must have an administrative workstation on which the One Identity Manager components are installed. For detailed information about installing a workstation, see the One Identity Manager Installation Guide.

To remotely install and configure One Identity Manager Service on a server

  1. Start the Server Installer program on your administrative workstation.

  2. On the Database connection page, enter the valid connection credentials for the One Identity Manager database.

  3. On the Server properties page, specify the server on which you want to install the One Identity Manager Service.

    1. Select a Job server from the Server menu.

      - OR -

      To create a new Job server, click Add.

    2. Enter the following data for the Job server.

      • Server: Name of the Job server.

      • Queue: Name of the queue to handle the process steps. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the Job queue using this unique queue identifier. The queue identifier is entered in the One Identity Manager Service configuration file.

      • Full server name: Full server name in accordance with DNS syntax.

        Syntax:

        <Name of servers>.<Fully qualified domain name>

      NOTE: You can use the Extended option to make changes to other properties for the Job server. You can also edit the properties later with the Designer.

  4. On the Machine roles page, select Active Directory.

  5. On the Server functions page, select Active Roles connector.

  6. On the Service Settings page, enter the connection data and check the One Identity Manager Service configuration.

    NOTE: The initial service configuration is predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For detailed information about configuring the service, see the One Identity Manager Configuration Guide.

    • For a direct connection to the database:

      1. Select Process collection | sqlprovider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the One Identity Manager database.

    • For a connection to the application server:

      1. Select Process collection, click the Insert button and select AppServerJobProvider.

      2. Click the Connection parameter entry, then click the Edit button.

      3. Enter the connection data for the application server.

      4. Click the Authentication data entry and click the Edit button.

      5. Select the authentication module. Depending on the authentication module, other data may be required, such as user and password. For detailed information about the One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

  7. To configure remote installations, click Next.

  8. Confirm the security prompt with Yes.

  9. On the Select installation source page, select the directory with the install files.

  10. On the Select private key file page, select the file with the private key.

    NOTE: This page is only displayed when the database is encrypted.

  11. On the Service access page, enter the service's installation data.

    • Computer: Name or IP address of the server that the service is installed and started on.

    • Service account: User account data for the One Identity Manager Service.

      • To start the service under another account, disable the Local system account option and enter the user account, password and password confirmation.

    • Installation account: Data for the administrative user account to install the service.

      • To use the current user’s account, set the Current user option.

      • To use another user account, disable the Current user option and enter the user account, password and password confirmation.

    • To change the install directory, names, display names, or description of the One Identity Manager Service, use the other options.

  12. Click Next to start installing the service.

    Installation of the service occurs automatically and may take some time.

  13. Click Finish on the last page of the Server Installer.

    NOTE: In a default installation, the service is entered in the server’s service management with the name One Identity Manager Service.

Creating a synchronization project for initial synchronization of an Active Directory domain through Active Roles

Use the Synchronization Editor to configure synchronization between the One Identity Manager database and Active Directory environment. The following describes the steps for initial configuration of a synchronization project.

After the initial configuration, you can customize and configure workflows within the synchronization project. Use the workflow wizard in the Synchronization Editor for this. The Synchronization Editor also provides different configuration options for a synchronization project.

Have the following information available for setting up a synchronization project.

Table 1: Information required for setting up a synchronization project
Data Explanation

Distinguished name of the domain.

Distinguished LDAP domain name

User account and password for logging into Active Roles.

User account and password for logging into Active Roles. Make a user account available with sufficient permissions. For more information, see One Identity Manager Service access permissions required for synchronizing using Active Roles.

DNS name or IP address of the Active Roles server.

DNS name or IP address of the Active Roles server that connects against the synchronization server.

Example:

<Name of servers>.<Fully qualified domain name>

Synchronization server for Active Directory

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

The One Identity Manager Service must be installed on the synchronization sehe connectorActive Directory connectorActive Roles.

The synchronization server must be declared as a Job server in One Identity Manager. Use the following properties when you set up the Job server.

Table 2: Additional properties for the Job server
Property Value
Server function

Active Roles connector

Machine role Server/Jobserver/Active Directory

For more information, see Setting up the synchronization server.

One Identity Manager database connection data

  • Database server

  • Database

  • SQL Server login and password

  • Specifies whether integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

Remote connection server

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization Editor is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. If direct access is not possible from the workstation, you can set up a remote connection.

The remote connection server and the workstation must be in the same Active Directory domain.

Remote connection server configuration:

  • One Identity Manager Service is started

  • RemoteConnectPlugin is installed

  • Active Roles connector is installed

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

TIP: The remote connection server requires the same configuration as the synchronization server (with regard to the installed software and entitlements). Use the synchronization as remote connection server at the same time, by simply installing the RemoteConnectPlugin as well.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

NOTE: The following sequence describes how to set up a synchronization project if Synchronization Editor is executed in default mode.

If you run the Synchronization Editor in export mode, you can make additional configuration settings. Follow the project wizard instructions through these steps.

To set up an initial synchronization project for an Active Directory domain using Active Roles.

  1. Start the Synchronization Editor and log into the One Identity Manager database.
  2. Select the start page. Click Start a new synchronization project.

    This starts the project wizard.

  3. Click Next on the welcome page.
  1. On the Choose target system page, select Active Roles connector.

  1. On the System access page, specify how One Identity Manager can access the target system.

    • If access is possible from the workstation on which you started the Synchronization Editor, do not change any settings.

    • If access is not possible from the workstation on which you started the Synchronization Editor, you can set up a remote connection.

      Enable the Connect using remote connection server option and select the server to be used for the connection under Job server.

  1. On the Target server page, enter the Active Roles server to which you want to connect. If possible, servers are determined automatically.

    • In the Host name/IP address menu, select a target server.

    • If the server cannot be found automatically, in the Host name/IP address field, enter the DNS name or the IP address.

  2. On the Credentials page, enter the user account and password for accessing Active Roles.
  3. On the Domain/root entry selection page, select the domain you want to synchronize or enter the root entry's distinguished name.

  1. On the One Identity Manager Connection tab, test the data for connecting to the One Identity Manager database. The data is loaded from the connected database. Reenter the password.

    NOTE: If you use an unencrypted One Identity Manager database and have not yet saved any synchronization projects to the database, you need to enter all connection data again. This page is not shown if a synchronization project already exists.

  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.

  1. On the Restrict target system access page, specify how system access should work. You have the following options:
    Table 3: Specify target system access
    Option Meaning

    Read-only access to target system.

    Specifies that a synchronization workflow is only to be set up for the initial loading of the target system into the One Identity Manager database.

    The synchronization workflow has the following characteristics:

    • Synchronization is in the direction of One Identity Manager.
    • Processing methods in the synchronization steps are only defined for synchronization in the direction of One Identity Manager.

    Read/write access to target system. Provisioning available.

    Specifies whether a provisioning workflow is to be set up in addition to the synchronization workflow for the initial loading of the target system.

    The provisioning workflow displays the following characteristics:

    • Synchronization is in the direction of the Target system.
    • Processing methods are only defined in the synchronization steps for synchronization in the direction of the Target system.
    • Synchronization steps are only created for such schema classes whose schema types have write access.
  1. On the Synchronization server page, select a synchronization server to execute synchronization.

    If the synchronization server is not declared as a Job server in the One Identity Manager database yet, you can add a new Job server.

    1. Click to add a new Job server.

    2. Enter a name for the Job server and the full server name conforming to DNS syntax.

    3. Click OK.

      The synchronization server is declared as a Job server for the target system in the One Identity Manager database.

      NOTE: After you save the synchronization project, ensure that this server is set up as a synchronization server.
  1. To close the project wizard, click Finish.

    This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.

    The synchronization project is created, saved, and enabled immediately.

    NOTE: If enabled, a consistency check is carried out. If errors occur, a message appears. You can decide whether the synchronization project can remain activated or not.

    Check the errors before you use the synchronization project. To do this, in the General view on the Synchronization Editor‘s start page, click Verify project.

    NOTE: If you do not want the synchronization project to be activated immediately, disable the Activate and save the new synchronization project automatically option. In this case, save the synchronization project manually before closing the Synchronization Editor.

    NOTE: The connection data for the target system is saved in a variable set and can be modified in the Configuration | Variables category in the Synchronization Editor.

NOTE:

Following a synchronization, employees are automatically created for the user accounts in the default installation. If an account definition for the domain is not yet known at the time of synchronization, user accounts are linked with employees. However, account definitions are not assigned. The user accounts are therefore in a Linked state.

To manage the user accounts using account definitions, assign an account definition and a manage level to these user accounts.

To select user accounts through account definitions

  1. Create an account definition.
  2. Assign an account definition to the domain.
  3. Assign a user account in the Linked state to the account definition. The account definition's default manage level is applied to the user account.
    1. In the Manager, select the Active Directory | User accounts | Linked but not configured | <Domain> category.

      - OR -

      In the Manager, select the Active Directory | Contacts | Linked but not configured | <Domain> category.

    2. Select the Assign account definition to linked accounts task.

    3. In the Account definition menu, select the account definition.

    4. Select the user accounts that contain the account definition.

    5. Save the changes.
Related topics

Accelerating provisioning and single object synchronization

To smooth out spikes in data traffic, handling of processes for provisioning and single object synchronization can be distributed over several Job servers. This will also accelerate these processes.

NOTE: You should not implement load balancing for provisioning or single object synchronization on a permanent basis. Parallel processing of objects might result in dependencies not being resolved because referenced objects from another Job server have not been completely processed.

Once load balancing is no longer required, ensure that the synchronization server executes the provisioning processes and single object synchronization.

To configure load balancing

  1. Configure the server and declare it as a Job server in One Identity Manager.

    • Assign the Active Roles connector server function to the Job server.

    All Job servers must access the same Active Directory domain as the synchronization server for the respective base object.

  2. In the Synchronization Editor, assign a custom server function to the base object.

    This server function is used to identify all the Job servers being used for load balancing.

    If there is no custom server function for the base object, create a new one.

    For more information about editing base objects, see the One Identity Manager Target System Synchronization Reference Guide.

  3. In the Manager, assign this server function to all the Job servers that will be processing provisioning and single object synchronization for the base object.

    Only select those Job servers that have the same configuration as the base object's synchronization server.

    For more detailed information about editing server, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Once all the processes have been handled, the synchronization server takes over provisioning and single object synchronization again.

To use the synchronization server without load balancing.

  • In the Synchronization Editor, remove the server function from the base object.

For detailed information about load balancing, see the One Identity Manager Target System Synchronization Reference Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating