Chat now with support
Chat with Support

Active Roles 7.5 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling Federated Authentication Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo MFA Appendix H: Active Roles integration with Okta MFA

Applying Access Templates

Active Roles allows Access Templates to be applied to any objects—administrative views (Managed Units), directory folders (containers), or individual (leaf) objects.

When applying an Access Template to an object, you designate a Trustee (user or group) and assign permissions to the Trustee for that object. As a result, the Trustee gets access to the object according to permissions defined in the Access Template.

For example, two assistants of a directory administrator might be delegated full control of different domains; Help Desk might be assigned the administrative role to reset passwords.

NOTE: When you apply Access Templates to a folder, you can configure the permission settings to propagate from the folder to its child objects, down the directory structure.

To apply an Access Template, you need to start and complete the Delegation of Control wizard.

You can start the Delegation of Control wizard from any of the following points:

  • Access Template  Right-click the Access Template, click Links, and then click the Add button. Access Templates are located in the Configuration/Access Templates container.

    When started in this way, the wizard allows you to select directory objects where to apply the Access Template and Trustees for those objects.

  • Securable object  Depending on whether the object is a container or leaf object, do one of the following:
    • For a container or a Managed Unit, right-click it, click Delegate Control, and then click the Add button.
    • For a leaf object, display the Properties dialog box, go to the Administration tab, click the Security button, and then click the Add button.

    When started in this way, the wizard allows you to select Trustees for the object and Access Templates to define the Trustees’ rights to the object.

  • Security principal (Trustee)  Right-click the group or user you want to designate as a Trustee, click Delegated Rights, and then click the Add button.

    When started in this way, the wizard allows you to select objects for which you want to designate the Trustee and Access Templates to define the Trustees’ rights to those objects.

You can also start the Delegation of Control wizard from the advanced details pane (ensure that Advanced Details Pane is checked on the View menu):

  • Select an Access Template, right-click a blank area on the Links tab, and then click Add.

    When started in this way, the wizard allows you to select directory objects where to apply the Access Template and Trustees for those objects.

  • Select a directory object (securable object), right-click a blank area on the Active Roles Security tab, and then click Add.

    When started in this way, the wizard allows you to select Trustees for the object and Access Templates to define the Trustees’ rights to the object.

The rest of this section provides instructions on how to complete the Delegation of Control wizard, assuming that you start the wizard from the object of which control you want to delegate (securable object). For instructions on how to complete the wizard in the other cases, see Steps for applying an Access Template later in this chapter.

If you start Delegation of Control wizard from a securable object, clicking Next on the Welcome page displays the Users or Groups page, shown in the following figure.

Figure 16: Delegation of control - Users or Groups

On the Users or Groups page, click Add to display the Select Objects dialog box where you can select groups or users to be designated as Trustees. Type or select the names of the users or groups you want to add to the list, and then click OK.

After you have completed the list on the Users or Groups page, click Next. This displays the Access Templates page, shown in the following figure.

Figure 17: Delegation of control - Access Templates

On the Access Templates page, expand containers that hold Access Templates, and select check boxes next to the names of the Access Templates you want to apply.

When you are done with selecting Access Templates, click Next. This displays the Inheritance Options page, shown in the following figure.

Figure 18: Delegation of Control - Inheritace Options

On the Inheritance Options page, you can select the following options to control inheritance of permissions:

  • This directory object  Ensures that the Trustees have administrative rights to the securable object itself.
  • Child objects of this directory object  Ensures that the Trustees have administrative rights to the child objects of securable object, down the directory structure.
  • Immediate child objects only  Limits the Trustees’ rights to only immediate child objects of the securable object.

By default, the first two options are selected.

Click Next. This displays the Permissions Propagation page where you can select the Propagate permissions to Active Directory check box. If you do so, the permission settings you are configuring are synchronized to Active Directory. As a result, the Trustees may also exercise their rights outside the Active Roles environment, thus incurring a potential risk of bypassing policies configured and enforced with Active Roles. Therefore, you should use this option carefully.

By default, the Propagate permissions to Active Directory check box is cleared. If you choose to select it, you can change this setting at any time by using the Sync to AD button in the Active Roles Security window or Sync to AD command in the advanced details pane (see Synchronizing permissions to Active Directory later in this chapter).

Click Next, and then click Finish to complete the wizard.

Steps for applying an Access Template

To apply an Access Template

  1. In the console tree, under Configuration | Access Templates, locate and select the folder that contains the Access Template you want to apply.
  2. In the details pane, right-click the Access Template, and click Links.
  3. In the Links dialog box, click Add to start the Delegation of Control wizard.
  4. On the Welcome page of the wizard, click Next.
  5. On the Objects page, add or remove the objects on which you want to specify permission settings by using the Access Template:
    • To add objects, click Add, and then use the Select Objects dialog box to locate and select the objects.
    • To remove objects, select them from the list on the Objects page, and click Remove.
  6. Click Next.
  7. On the Users or Groups page, add or remove the users or groups (Trustees) to whom you want to assign the permissions defined by the Access Template on the objects that you have included on the Objects page:
    • To add users or groups, click Add, and then use the Select Objects dialog box to locate and select the users or groups.
    • To remove users or groups, select them from the list on the Users or Groups page, and click Remove.
  8. Click Next.
  9. On the Inheritance Options page, select or clear these check boxes as needed:
    • This directory object  Specify permission settings on the objects you have included on the Objects page.
    • Child objects of this directory object  Specify permission settings on all the child objects (or members, as applied to a Managed Unit) in the entire hierarchy under each of the objects you have included on the Objects page.
    • Immediate child objects only  Specify permission settings on only the child objects (or members, as applied to a Managed Unit) of which the objects that you have included on the Objects page are the direct ancestors.
  10. Click Next.
  11. On the Permissions Propagation page, if you want the Access Template-based permission settings to be synchronized to the native Active Directory access controls, select Propagate permissions to Active Directory. Doing so causes the authorization information on the objects to be modified in Active Directory based on the permission settings defined within Active Roles.
  12. Click Next.
  13. Click Finish.

To specify permission settings on an object by using an Access Template

  1. Open the Active Roles Security dialog box for the object:
    • Right-click the object, and click Delegate Control.

    OR

    • Right-click the object, and click Properties. Then, on the Administration tab in the Properties dialog box, click Security.
  2. In the Active Roles Security dialog box, click Add to start the Delegation of Control wizard.
  3. On the Welcome page of the wizard, click Next.
  4. On the Users or Groups page, add or remove the users or groups (Trustees) to whom you want to assign permissions on the object:
    • To add users or groups, click Add, and then use the Select Objects dialog box to locate and select the users or groups.
    • To remove users or groups, select them from the list on the Users or Groups page, and click Remove.
  5. Click Next.
  6. On the Access Templates page, select the Access Template to apply.

    You can select multiple Access Templates to apply.

  1. Click Next.
  2. On the Inheritance Options page, select or clear these check boxes as needed:
    • This directory object  Specify permission settings on the object itself.
    • Child objects of this directory object  Specify permission settings on all the child objects (or members, as applied to a Managed Unit) in the entire hierarchy under the object.
    • Immediate child objects only  Specify permission settings on only the child objects (or members, as applied to a Managed Unit) of which the object is the direct ancestor.
  3. Click Next.
  4. On the Permissions Propagation page, if you want the Access Template-based permission settings to be synchronized to the native Active Directory access controls, select Propagate permissions to Active Directory. Doing so causes the authorization information on the object to be modified in Active Directory based on the permission settings defined within Active Roles.
  5. Click Next.
  6. Click Finish.

To specify permissions for a user or group by using an Access Template

  1. Right-click the user or group, and click Delegated Rights.
  2. In the Delegated Rights dialog box, click Add to start the Delegation of Control wizard.
  3. On the Welcome page of the wizard, click Next.
  4. On the Objects page, add or remove the objects on which you want to specify permissions for the user or group:
    • To add objects, click Add, and then use the Select Objects dialog box to locate and select the objects.
    • To remove objects, select them from the list on the Objects page, and click Remove.
  5. Click Next.
  6. On the Access Templates page, select the Access Template to apply.
  7. You can select multiple Access Templates to apply.
  8. Click Next.
  9. On the Inheritance Options page, select or clear these check boxes as needed:
    • This directory object  Specify permissions on the objects you have included on the Objects page.
    • Child objects of this directory object  Specify permissions on all the child objects (or members, as applied to a Managed Unit) in the entire hierarchy under each of the objects you have included on the Objects page.
    • Immediate child objects only  Specify permissions on only the child objects (or members, as applied to a Managed Unit) of which the objects that you have included on the Objects page are the direct ancestors.
  10. Click Next.
  11. On the Permissions Propagation page, if you want the Access Template-based permission settings to be synchronized to the native Active Directory access controls, select Propagate permissions to Active Directory. Doing so causes the authorization information on the objects to be modified in Active Directory based on the permission settings defined within Active Roles.
  12. Click Next.
  13. Click Finish.

NOTE:

  • Active Roles allows Access Templates to be applied to any objects, including Managed Units, directory folders (containers), and individual (leaf) objects.
  • When applying an Access Template to an object, you designate a Trustee (user or group) and assign permissions to the Trustee for that object. As a result, the Trustee gains access to the object to the extent of the permissions defined by the Access Template.
  • To apply an Access Template, you use the Delegation of Control wizard. You can start the wizard as described in this topic. In addition, you can start the wizard from the Links or Active Roles Security tab in the advanced details pane: Right-click a blank area on the tab, and click Add. To display the advanced details pane, check Advanced Details Pane on the View menu (see Advanced pane earlier in this document).

Managing Access Template links

When applying an Access Template, Active Roles creates an Access Template link. Thus, administrative rights are specified by linking Access Templates to securable objects—Managed Units, directory folders (containers), or individual (leaf) objects.

Each Access Template link includes the identifier (SID) of the security principal—user or group—to which the specified administrative rights are assigned. When an Access Template link is created, the user or group becomes a Trustee over the collection of objects or the folder to which the Access Template is linked, with permissions specified by that Access Template.

When an Access Template is modified or no longer applied, the permission information on objects affected by the Access Template changes accordingly.

You can display a list of Access Template links starting from one of the following points:

  • Access Template  Right-click an Access Template and click Links.

    This displays the links in which the Access Template occurs.

  • Security principal (Trustee)  Right-click a group or user, and click Delegated Rights.

    This displays the links in which the group or user occurs as a Trustee either directly or due to group memberships.

  • Securable object  Right-click a container object or Managed Unit and click Delegate Control. For a leaf object, open the Properties dialog box, go to the Administration tab, and click Security.

    This displays the links in which the selected object occurs as a securable object (referred to as Directory Object).

Another way to see a list of Access Template links is to use the advanced details pane. Ensure that Advanced Details Pane is checked on the View menu, and then select one of the following:

  • Access Template

    The Links tab lists the links in which the selected Access Template occurs.

  • Other object (Managed Unit, container, or leaf object)

    The Active Roles Security tab lists the links in which the selected object occurs as a securable object (referred to as Directory Object).

The Active Roles console displays a list of Access Template links in a separate window. Thus, the Active Roles Security window is displayed when you start from a securable object (for example, by clicking a Managed Unit or Organizational Unite and then clicking Delegate Control).

Each entry in the list of the Access Template links includes the following information:

  • Trustee  The link defines administrative rights of this security principal (group or user).
  • Access Template  The Access Template that determines the Trustee’s rights.
  • Directory Object  The link defines the Trustee’s rights to this securable object.
  • Sync to Native Security  Indicates whether the permissions are synced to Active Directory.
  • Disabled  Indicates whether the link is disabled. If a link is disabled, the permissions defined by that link have no effect.
  • Access Rule  Indicates whether an Access Rule is applied to this link (see Windows claims-based Access Rules).

The Active Roles Security window (as well as the Active Roles Security tab in the advanced details pane) lists the links of these categories:

  • Direct links  Access Template is applied (linked) directly to the securable object you have selected.
  • Inherited links  Access Template is applied (linked) to a container in the hierarchy of containers above the securable object you have selected, or to a Managed Unit to which the securable object belongs.

The links inherited from parent objects can be filtered out of the list:

  • When using the Active Roles Security window, clear the Show inherited check box.
  • When using the Active Roles Security tab, right-click the list and then click Show Inherited to uncheck the menu item.

A window or tab that displays Access Template links allows you to manage links. In a window, you can use buttons beneath the list. In a tab, you can right-click a list entry or a blank area, and then use commands on the shortcut menu. For example, the following buttons appear in the Active Roles Security window:

  • Add  Starts the Delegation of Control wizard to create apply Access Templates.
  • Remove  Deletes the selected entries from the list of links. Available for direct links only.
  • View/Edit  Displays the dialog box to view or modify link properties such as permissions inheritance and propagation options.
  • Sync to AD  Toggles the permissions propagation option of the links selected in the list.
  • Disable  Disables or enables the link. If a link is disabled, the permissions specified by the link takes no effect.

TIP: In the Active Roles Security dialog box, the Remove button is available on direct links only. When you need to delete links, it is advisable to manage them using the Links command on the Access Template.

Steps for managing Access Template links

When you apply an Access Template (see Applying Access Templates earlier in this document), Active Roles creates an object, referred to as an Access Template link, that stores information about the Access Template, the directory object on which the Access Template is applied, and the user or group (Trustee) to whom the permissions are assigned. Basically, the management of permission settings in Active Roles comes to the management of Access Templates and Access Template links. This topic provides some instructions you can use to view or modify Access Template links.

To view or modify Access Template links in which a given Access Template occurs

  1. Right-click the Access Template, and click Links.
  2. In the Links dialog box, do the following:
    • To create a new link, click Add and follow the steps in the Delegation of Control wizard to apply an Access Template (see Steps for applying an Access Templateearlier in this document).
    • To delete a link, select it from the list and click Remove.
    • To view or modify the inheritance and synchronization settings for a link, select the link and click View/Edit.
    • To change the synchronization setting for a link, select the link and click Sync to AD or Desync to AD.
    • To remove or restore the effect of a link, select the link and click Disable or Enable, respectively.

To view or modify Access Template links on a given object

  1. Open the Active Roles Security dialog box for the object:
    • Right-click the object, and click Delegate Control.

    OR

    • Right-click the object, and click Properties. Then, on the Administration tab in the Properties dialog box, click Security.
  2. In the Active Roles Security dialog box, do the following:
    • To create a new link, click Add and follow the steps in the Delegation of Control wizard to specify permission settings on the object by using an Access Template (for instructions, see Steps for applying an Access Template earlier in this document).
    • To delete a link, select it from the list and click Remove.
    • To view or modify the inheritance and synchronization settings for a link, select the link and click View/Edit.
    • To change the synchronization setting for a link, select the link and click Sync to AD or Desync to AD.
    • To remove or restore the effect of a link, select the link and click Disable or Enable, respectively.

To view or modify Access Template links for a given user or group

  1. Right-click the user or group, and click Delegated Rights.
  2. In the Delegated Rights dialog box, do the following:
  3. To create a new link, click Add and follow the steps in the Delegation of Control wizard to specify permissions for the user or group by using an Access Template (for instructions, see Steps for applying an Access Template earlier in this document).
  4. To delete a link, select it from the list and click Remove.
  5. To view or modify the inheritance and synchronization settings for a link, select the link and click View/Edit.
  6. To change the synchronization setting for a link, select the link and click Sync to AD or Desync to AD.
  7. To remove or restore the effect of a link, select the link and click Disable or Enable, respectively.

NOTE:

  • By default, the Active Roles Security dialog box for an object lists all the links that determine the permission settings on the object, regardless of whether a link was created on the object itself or on a container or Managed Unit that holds the object. To change the display of the list, clear the Show inherited check box.
  • In the Active Roles Security dialog box, only direct links can be removed, that is, a link can be removed if the link was created on the object itself (not inherited from a container or Managed Unit). Only direct links are displayed when you clear the Show inherited check box, so you can delete them by clicking Remove.
  • In the Active Roles Security dialog box, the Remove button is available only on direct links. When you need to delete links, it is advisable to manage this by using the Links command on the Access Template or by using the Delegated Rights command on the Trustee (user or group). Alternatively, you can delete a link by using View/Edit: Select the link and click View/Edit; then, click Properties next to the Access Template box; then, on the Administration tab, click Links, and, finally, delete the link from the Links dialog box.
  • In the Active Roles Security dialog box, the Sync to AD button is available only on direct links. When you need to change synchronization status of a link, it is advisable to manage this by using the Links command on the Access Template or by using the Delegated Rights command on the Trustee (user or group). Alternatively, you can change the synchronization status of a link by using View/Edit: Select the link and click View/Edit; then, on the Synchronization tab, select or clear Propagate permissions to Active Directory.
  • Clicking View/Edit displays the Properties dialog box for the selected link. This dialog box can be considered as a focal point for administration of all elements of the link. Thus, from the Properties dialog box, you can access the properties of the directory object, Access Template and Trustee that are covered by the link, view or modify the settings found on the Inheritance Options and Permissions Propagation pages in the Delegation of Control wizard, and enable or disable the link.
  • You can also manage Access Template links on the Links or Active Roles Security tab in the advanced details pane, which allows you to perform the same tasks as the Links or Active Roles Security dialog box, respectively. Right-click a link or a blank area on the tab, and use command on the shortcut menu. The Links tab is displayed when you select an Access Template. Otherwise, the Active Roles Security tab is displayed. To display the advanced details pane, check Advanced Details Pane on the View menu (see Advanced pane earlier in this document).
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating