Chat now with support
Chat with Support

Active Roles 7.5 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling Federated Authentication Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo MFA Appendix H: Active Roles integration with Okta MFA

About Managed Units

Enterprises usually design their OU-based network structure on geographical or departmental boundaries, restricting the ability to delegate administration outside these boundaries. However, they can face situations that require objects to be grouped together in ways that differ to the OU structure.

Active Directory offers a comprehensive delegation model. However, since the scope of delegation is defined using Organizational Units, distributed administration in Active Directory is constrained by the OU structure.

In Active Directory, without changing the directory structure, it is impossible to re-group objects so that the new “groups” support inheritance for their members when delegating control or enforcing policy. As a solution to this inflexible, OU-based structure, Active Roles provides the facility to configure administrative views that meet any directory management needs. The administrative views (Managed Units) allow distributed administration to be independent of the OU hierarchy.

Thus, Active Roles provides Managed Units (MUs)—securable, flexible, rules-based administrative views. MUs represent dynamic virtual collections of objects of different types. MUs may include any directory objects, regardless of their location in the network. This allows objects to be grouped into administrative views that are independent of the OU-based structure.

Managed Units allow organizations to implement OU structures on a geographical basis, but distribute administration on a functional basis. For example, all users in a particular department, regardless of their location in different OUs, could be grouped into a single Managed Unit for the purposes of delegating access control and enforcing administrative policy. The members of that Managed Unit would remain in their geographically defined OUs, leaving the OU structure unaffected.

Managed Units make it possible to organize an enterprise in any particular way, without changing the underlying domain and OU structure. Managed Units can include directory objects from different domains, trees and forests, as well as from other Managed Units. In addition, different Managed Units can have common members. These features of Managed Units create an environment that is both secure and easy to manage.

How Managed Units work

Membership rules determine whether an object is a member of a certain MU. For example, you might specify a membership rule that states: all users from OU A whose full names start with B belong to this MU. The membership rule is then implemented as a query that searches OU A for users with full names starting with B. Active Roles stores the query as a part of the MU properties, and executes it whenever a list of MU members is created or refreshed.

Active Roles allows permission and policy settings to be specified at the level of Managed Units. Inheritance of permission and policy settings from the Managed Unit level works seamlessly across the Active Directory environment.

As the environment changes, the memberships of objects held in Managed Units also change automatically to adapt to the new environment, therefore object permission and policy settings change as well. Managed Units dynamically adapt to changes in the enterprise, simplifying the maintenance of permission and policy settings on directory objects.

Each Managed Unit provides a convenient scope for delegated administration. Delegated administrators no longer have to browse the hierarchy of OUs to search for managed objects. With Active Roles, administrative control of each MU can be delegated to specific individuals and groups, just as control of OUs can be delegated. Using Managed Units, all objects managed by a delegated administrator are located in one place.

Administering Managed Units

This section guides you through the Active Roles console to administer Managed Units. The following topics are covered:

Creating a Managed Unit

The Active Roles console provides the New Object – Managed Unit wizard to create Managed Units. You can start the wizard from the Managed Units container, located under Configuration in the console tree: right-click Managed Units in the console tree, and select New | Managed Unit.

If you need to manage a large number of Managed Units, it is advisable to create containers that hold only specified Managed Units for easy location: in the console tree, right-click Managed Units and select New | Managed Unit Container. Then, you can use the wizard to create a Managed Unit in that container: right-click the container and select New | Managed Unit.

NOTE: Only users with administrative access to the Administration Service (members of the Active Roles Admin account) are permitted to create Managed Units. For more information about the Active Roles Admin account, refer to the Active Roles Quick Start Guide.

The first page of the wizard looks as shown in the following figure.

Figure 6: Managed unit - Name and Description

On this page, type in the name and description for the Managed Unit. The Active Roles console will display the name and description in the list of Managed Units in the details pane.

Click Next. The second page of the wizard looks as shown in the following figure.

Figure 7: Managed unit - include objects

This page lets you specify which objects you want to be included in the Managed Unit.

Membership of a Managed Unit is determined by membership rules. Members of a Managed Unit are those objects that match criteria defined in the membership rules. A list of members is dynamically updateable: When you create a new object that satisfies the criteria in the membership rule, the object is included into the MU automatically. When an object no longer matches the criteria specified in the membership rule (for example, when the object is renamed or moved), it is automatically removed from the membership list.

A membership rule may take a form of search query, object static inclusion and exclusion rule, and group member’s inclusion and exclusion rule.

To specify a membership rule, click Add. This displays the Membership Rule Type dialog box, shown in the following figure.

Figure 8: Managed Unit - membership rule type

In this dialog box, select a type of membership rule. In the lower box, you can read a description that explains which membership rules can be created using the selected type.

The Include Explicitly rule type allows you to select objects to be statically added to the Managed Unit. If you select a container, such as an OU, the entire sub-tree rooted in that container is included in the Managed Unit. Active Roles ensures that the selected objects are included in the Managed Unit regardless of whether they are renamed, moved to another container, or have any properties changed.

The Exclude Explicitly rule type allows you to select objects to be statically excluded from the Managed Unit. Active Roles ensures that the selected objects are excluded from the membership list regardless of whether they are renamed, moved, or have any properties changed. Because the Exclude Explicitly rule takes precedence over all other types of rule, the selected objects will be excluded from the Managed Unit even if another rule states that they should be included. Note that this rule type can be used to exclude only those objects that match one of the inclusion rules.

The Include Group Members rule type allows you to select the groups which members you want to include in the Managed Unit. Active Roles dynamically populates the membership list with the objects that belong to the selected groups. When an object is added or removed from the selected groups, Active Roles adds or removes that object from the membership list of the Managed Unit.

The Exclude Group Members rule type allows you to select groups whose members will be excluded from the Managed Unit. Active Roles ensures that the members of the selected groups are removed from the membership list of the Managed Unit. When an object is added to any one of the selected groups, Active Roles automatically removes that object from the membership list. Note that this rule type can be used to exclude only those objects that match one of the inclusion rules.

The Include by Query rule type allows you to define criteria the objects must match to be included in the Managed Unit. Active Roles dynamically populates the membership list with the objects that have certain properties. When an object is created, or when its properties are changed, Active Roles adds or removes it from the membership list depending on whether the objects’ properties match the defined criteria.

The Exclude by Query rule type allows you to define criteria the objects must match to be excluded from the Managed Unit. Active Roles ensures that the objects with certain properties are excluded from the membership list. Active Roles automatically removes objects from the membership list depending on whether the objects’ properties match the defined criteria. Note that this rule type can be used to exclude only those objects that match one of the inclusion rules.

The Retain Deprovisioned rule is intended to adjust the behavior of Managed Units towards deprovisioned objects, such as deprovisioned users or groups. Once an object is deprovisioned, the default behavior is to automatically remove that object from all Managed Units it was a member of. If there is a need to keep deprovisioned objects in certain Managed Units, you can satisfy this requirement by adding the Retain Deprovisioned rule to those Managed Units. This rule causes the Managed Unit to include both the regular and deprovisioned objects that meet the membership rules for that Managed Unit. Without this rule, the Managed Unit does not include any deprovisioned objects.

Note that the rules that exclude objects from a Managed Unit have an effect on only those objects that match one of the inclusion rules for that Managed Unit. For example, if a container object is explicitly included in a Managed Unit, all objects held in that container are also included in the Managed Unit and cannot be excluded by applying exclusion rules. An exclusion rule can only be used to exclude the entire container from the Managed Unit since the container is the only object that matches an inclusion rule. The objects that are held in the container do not match any inclusion rule, and therefore are not affected by exclusion rules.

In the Membership Rule Type dialog box, select a rule type, and click OK.

If you have selected the Include Explicitly or Exclude Explicitly rule type, the Select Objects dialog box is displayed. Select the objects you want to include or exclude from the Managed Unit, click Add, and then click OK.

If you have selected the Include Group Members or Exclude Group Members rule type, the Select Objects dialog box is displayed. The list of objects in that dialog box consists of groups. Select groups, click Add, and then click OK. All members of the selected groups will be included or excluded from the Managed Unit.

If you have selected the Include by Query or Exclude by Query rule type, the Create Membership Rule dialog box, similar to the Find dialog box, is displayed. In that dialog box, define the criteria that objects must match to be included or excluded from the Managed Unit.

After you have added one membership rule, you can add further membership rules for the same Managed Unit.

If you add several membership rules to the Managed Unit and some of them conflict with each other, then the conflict is resolved by a rule that defines the following order of precedence:

  1. Exclude Explicitly
  2. Include Explicitly
  3. Exclude by Query
  4. Exclude Group Members
  5. Include by Query
  6. Include Group Members

According to this, for example, the Exclude Explicitly rule takes precedence over all other types of rule. Therefore, the selected objects will be excluded from the Managed Unit even if another rule states that they should be included (for example, the objects that match the criteria defined in the Include by Query membership rule, or belong to a group selected in the Include Group Members rule).

NOTE: An exclusion rule type can be used to exclude only those objects that match one of the inclusion rules. For example, if a given Organizational Unit is included in a Managed Unit by an inclusion rule, all child objects held in the Organizational Unit are also included in that Managed Unit. However, only the entire Organizational Unit rather than its individual child objects can be excluded from the Managed Unit.

Once you have added membership rules, click Next. This displays a page shown in the figure that follows.

Figure 9: Managed unit - Permission and Policy settings

You can use this page to specify the permission and policy settings for the Managed Unit. When finished, click Next, and then click Finish. For information about permission settings, see Applying Access Templates later in this document. For information about policy settings, see Applying Policy Objects later in this document.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating