Chat now with support
Chat with Support

Active Roles 7.5 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling Federated Authentication Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo MFA Appendix H: Active Roles integration with Okta MFA

Adding activities to a workflow

The Active Roles console provides the Workflow Designer for creating and configuring workflows. First, you create a workflow definition. Then, you use the Workflow Designer to construct the workflow by adding and configuring workflow activities.

To add an activity to a workflow

  1. In the Active Roles console tree, expand Configuration | Policies | Workflow, and select the workflow to which you want to add an activity.

    This opens the Workflow Designer window in the details pane, representing the workflow definition as a process diagram.

  1. In the details pane, drag the activity from the left panel onto the process diagram.
  2. Right-click the name of the activity in the process diagram and click Properties.
  3. Use the Properties dialog box to configure the activity. See instructions later in this chapter.

If you add an activity to the upper part of the diagram (above the Operation execution line), the activity will be run in the pre-execution phase of operation processing (see Workflow processing overview earlier in this chapter). If you add an activity to the lower part of the diagram (beneath the Operation execution line), the activity will be run in the post-execution phase of operation processing. Certain activities, such as an Approval activity, which are intended to run in the pre-execution phase, cannot be added to the lower part of the diagram.

In the Properties dialog box, you can change the name and description of the activity. These settings are common to all activities. The name identifies the activity in the process diagram. The description appears as a tooltip when you point to the activity in the process diagram. To remove an activity from the process diagram, right-click the name of the activity and click Delete.

Configuring an Approval activity

The task of configuring an Approval activity includes the following steps:

  • Choose approvers and configure escalation.  You have to specify, at a minimum, a list of approvers for the initial approver level. Active Roles first assigns approval tasks to the approvers of that level. You can configure additional approver levels to enable escalation of approval tasks.
  • Choose properties for the approver to review, supply or change.  You can list the object properties that the approver must supply when performing the approval tasks (request for additional information), and choose whether the approver is allowed to view or change the object properties that are submitted for approval (review request).
  • Customize the pages for performing the approval task.  You can customize the header of the approval task page by choosing the task title and object properties to be included in the header, and configure custom action buttons in addition to the default action buttons Approve and Reject.
  • Configure notification.  You can choose the workflow events to notify of, specify the notification recipients and delivery options, and customize the notification message.

This section provides instructions on how to:

For instructions on how to configure notification settings, see Configuring a Notification activity later in this document.

Configure approvers

A valid approval rule must, at a minimum, specify a list of approvers for the initial approver level. Active Roles first assigns the approval task to the approvers of that level. You can configure additional approver levels to enable escalation of approval tasks.

To specify approvers for the initial approver level

  1. In the Active Roles console tree, expand Configuration | Policies | Workflow, and select the workflow containing the Approval activity you want to configure.

    This opens the Workflow Designer window in the details pane, representing the workflow definition as a process diagram.

  1. In the process diagram, right-click the name of the Approval activity and click Properties.
  2. In the Properties dialog box, click the Approvers tab.
  3. Verify that the Initial approver - level 0 item is selected in the Select approver level to configure box.
  4. Click the Designate approvers button.
  5. On the Approvers Selection page, select check boxes to specify approvers.
  6. If you have selected These users or groups, use the Add and Remove buttons to configure the list of approvers.

If you enable escalation on the initial approver level (see Configure escalation), then you have to specify approvers for escalation level 1 (the escalation level subsequent to the initial approver level). Active Roles allows up to 10 escalation levels, each containing a separate list of approvers. If you enable escalation on a given escalation level, then you have to specify approvers for the subsequent escalation level.

To specify approvers for a certain escalation level

  1. In the Select approver level to configure list, click the escalation level you want to configure.

    To configure a particular escalation level, you must first specify approvers and enable escalation on the preceding approver level.

  1. Click the Designate approvers button.
  2. On the Approvers Selection page, select check boxes to specify approvers.
  3. If you have selected These users or groups, use the Add and Remove buttons to configure the list of approvers.

The selection of approvers can be based on the Manager or Managed By property:

  • By selecting the Manager of person who requested operation check box, you configure the Approval activity so that the operations requested by a given user require approval from the manager of that user. With this option, the operation initiated by the user submits the approval task to the person specified as the manager of the user in the directory.
  • By selecting the Manager of operation target object or Manager of organizational unit where operation target object is located check box, you configure the Approval activity so that the changes to a given object require approval from the manager of that object or from the manager of the OU containing that object, respectively. With these options, the operation requesting changes to a given object submits the approval task to the person specified as the manager of the object or OU in the directory.
  • By selecting the Secondary owners of operation target object check box, you configure the Approval activity so that the changes to the operation target object require approval from any person who is designated as a secondary owner of that object. Secondary owners may be assigned to an object, in addition to the manager (primary owner), to load balance the management of the object.
  • By selecting the Manager of person being added or removed from target group check box, you configure the Approval activity so that the addition or removal of an object from the operation target group requires approval from the manager of that object. For example, given a request to add a user to the operation target group, this option causes the Approval activity to submit the approval task to the person specified as the manager of the user in the directory.

When you specify approvers for an escalation level, additional options are available:

  • Manager of approver of preceding level.  Use this option to escalate the approval task to the manager of the user or group that is designated as an approver on the preceding approver level. Suppose a given user is an initial approver, and escalation is enabled on the initial approver level. When escalation occurs, the approval task will be assigned to the manager of that user.
  • Secondary owner of approver of preceding level.  Use this option to escalate the approval task to the secondary owner of the user or group that is designated as an approver on the preceding approver level. Suppose a given group is an initial approver, and escalation is enabled on the initial approver level. When escalation occurs, the approval task will be assigned to the secondary owner of that group.

The selection of approvers may also be based on a script function that chooses the approver when the Approval activity is being executed. The function may access properties of objects involved in the operation, analyze the properties, and return an identifier of the user or group to be selected as an approver. For more information and instructions, refer to the “Developing Functions for Designating Approvers” topic in the Active Roles SDK documentation.

Configure escalation

An Approval activity may define multiple approver levels, each containing a separate list of approvers. Active Roles uses approver levels when escalating time-limited approval tasks. For each approver, level the Approval activity can specify a certain time period. If an approver of a given level does not complete the approval task within the specified time period, then Active Roles assigns the task to the approvers of the next level. This process is referred to as escalation.

A valid Approval activity must specify a list of approvers for the initial approver level. Active Roles first assigns the approval task to the approvers of that level. To enable escalation, a separate list of approvers must be specified for the subsequent escalation level.

To configure escalation on the initial approver level

  1. Specify approvers for the initial approver level (for instructions, see Configure approvers earlier in this document).
  2. Verify that the Initial approver - level 0 item is selected in the Select approver level to configure box.
  3. Select one or both of these options:
    • Approval task has a time limit of <number> days <number> hours.  Specify the time period within which the initial approver has to complete the approval task.
    • Allow approver to escalate approval task.  When selected, allows the approvers of the initial level to reassign their approval tasks to the approvers of escalation level 1.
  4. If you have selected only the first option (a time limit for the task), then select the Escalate approval task to Escalation level 1 option. Otherwise, escalation is not enabled.
  5. In the Select approver level to configure box, click Escalation level 1.
  6. Specify approvers for escalation level 1 (for instructions, see Configure approvers earlier in this document).

Active Roles allows up to 10 escalation levels, each containing a separate list of approvers. You can configure escalation levels one after another to create an escalation chain. Thus, after you have configured escalation on the initial approver level, you can configure escalation on escalation level 1, then you can configure escalation on escalation level 2, and so on. As a result, you could achieve the following sequence of events. If the initial approvers do not complete the approval task on time, then the task is assigned to the approvers of escalation level 1. If the approvers of escalation level 1 do not complete the approval task within their time frame, the task is assigned to the approvers of escalation level 2 with the new time limit. This escalation chain may contain up to 10 escalation levels.

To configure escalation on a certain escalation level

  1. In the Select approver level to configure list, click the escalation level you want to configure.

    To configure a particular escalation level, you must first specify approvers and enable escalation on the preceding approver level.

  1. Select one or both of these options:
    • Approval task has a time limit of <number> days <number> hours  Specify the time period within which the initial approver has to complete the approval task.
    • Allow approver to escalate approval task  When selected, allows the approvers of the current level to reassign their approval tasks to the approvers of the next level.
  2. If you have selected only the first option (a time limit for the task), then select the Escalate approval task to Escalation level <number> option. Otherwise, escalation is not enabled.
  3. In the Select approver level to configure box, click the item representing the subsequent escalation level.

    For example, if you are configuring escalation level 1, click the Escalation level 2 list item.

  1. Specify approvers for the subsequent escalation level (for instructions, see Configure approvers earlier in this document).

Note that each approver level has an individual configuration, so the escalation options of a given level apply only to that level. Thus, each approver level has a separate time limit, the option that determines whether to escalate the approval task after the time limit has expired, and whether the approvers of the given level are allowed to escalate the approval task manually.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating