Chat now with support
Chat with Support

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Rescheduling temporal group memberships

The temporal membership settings on a group member include the start time and end time settings.

The start time setting specifies when the object is to be actually added to the group. This can be a specific date and time or an indication that the object should be added to the group immediately.

The end time setting specifies when the object is to be removed from the group. This can be a specific date and time or an indication that the object should not be removed from the group.

You can view or modify both the start time and end time settings using the Active Roles Console.

To view or modify the start or end time setting for a member of a group

  1. In the Active Roles Console, right-click the group and click Properties.

  2. In the list on the Members tab in the Properties dialog, click the member and then click Temporal Membership Settings.

  3. Use the Temporal Membership Settings dialog to view or modify the start or end time settings.

The Temporal Membership Settings dialog provides the following options:

  • Add to the group > Now: Indicates that the object should be added to the group at once.

  • Add to the group > On this date: Indicates the date and time when the object should be added to the group.

  • Remove from the group > Never: Indicates that the object should not be removed from the group.

  • Remove from the group > On this date: Indicates the date and time when the object should be removed from the group.

Regular members have the Add to group and Remove from group options set to Already added and Never, respectively. You can set a particular date for any of these options in order to convert a regular member to a temporal member.

NOTE: Consider the following when rescheduling temporal group memberships:

  • You can view or modify the start time and end time settings by managing an object rather than groups in which the object has memberships. Open the Properties dialog for that object, and then, on the Member Of tab, select the group for which you want to manage the start or end time setting of the object, and click Temporal Membership Settings.

  • On the Members or Member Of tab, you can change the start or end time setting for multiple members or groups at a time. From the list on the tab, select two or more items and click Temporal Membership Settings. Then, in the Temporal Membership Settings dialog, select check boxes to indicate the settings to change and make the changes you want.

Removing temporal members

You can remove temporal group members in the same way as regular group members. Removing a temporal member of a group deletes the temporal membership settings for that object with respect to that group. As a result, the object will not be added to the group. If the object already belongs to the group at the time of removal, then it is removed from the group.

To remove a temporal member of a group

  1. In the Active Roles Console, right-click the group, and then click Properties.

  2. On the Members tab in the Properties dialog, click the member, click Remove, and then click Apply.

NOTE: You can remove an object that is a temporal member of a group by managing the object rather than the group. Open the Properties dialog for that object, and then, on the Member Of tab, select the group from the list and click Remove.

Group Family

With Group Family, you can view or modify the start time and end time settings by managing an object rather than groups in which the object has memberships. Open the Properties dialog for that object, and then, on the Member Of tab, select the group for which you want to manage the start or end time setting of the object and click Temporal Membership Settings.

On the Members or Member Of tab, you can change the start or end time setting for multiple members or groups at a time. From the list on the tab, select two or more items and click Temporal Membership Settings. Then, in the Temporal Membership Settings dialog, select check boxes to indicate the settings to change and make the changes you want.

Provides for a separate category of rule-based policies specific to group auto-provision. Each policy of that category, referred to as Group Family, acts as a control mechanism for creating and populating groups.

Group Family automatically creates groups and maintains group membership lists in compliance with configurable rules, allowing group membership to be defined as a function of object properties in the directory. Group Family also allows for creation of new groups based on new values encountered in object properties.

For instance, in order to manage groups by geographical location, a Group Family can be configured to create and maintain groups for every value found in the City property of user accounts. Group Family discovers all values of that property in the directory and generates a group for each, populating the group with the users that have the same value of the City property. If a new value is assigned to the City property for some users, Group Family automatically creates a new group for those users. If a user has the value of the City property changed, Group Family modifies the group membership for that user accordingly.

The configuration of a Group Family does not have to be limited to a single property of objects. Rather, it can combine as many properties as needed. For example, a Group Family can be set up to look at both the Department and City properties. As a result, Group Family creates and maintains a separate group for each department in each geographical location.

Design overview of Group Family

The key design elements of Group Family are as follows:

  • Scoping by object location: This determines the directory containers that hold the objects to be managed by Group Family. The scope of Group Family can be limited to certain containers, thereby causing it to affect only the objects in those containers.

  • Scoping by object type and property: This determines the type of objects, such as User or Computer, to be managed by Group Family. Thus, the scope of Group Family can be limited to a set of objects of a certain type. The scope can be further refined by applying a filter in order for Group Family to manage only those objects that meet certain property-related conditions.

  • Grouping by object property: Group Family breaks up the set of managed objects (scope) into groupings, each of which is comprised of the objects with the same combination of values of the specified properties (referred to as group-by properties). For example, with Department specified as a group-by property for user objects, each grouping only includes the users from a certain department.

  • Creating or capturing groups: For each grouping, Group Family normally creates a new group to associate (link) with the grouping, and ensures the members of the grouping are the only members of that group. When creating groups to accommodate groupings, Group Family uses group naming rules that are based on the values of the group-by properties. Another option is to manually link existing groups with groupings; this operation is referred to as capturing groups.

  • Maintaining group membership lists based on groupings: During each subsequent run of Group Family, the groupings are re-calculated, and their associated groups are updated to reflect the changes in the groupings. This process ensures that the group associated with a given grouping holds exactly the same objects as the grouping. If a new grouping found, Group Family creates a group, links the group to the new grouping, and populates the group membership list with the objects held in that grouping.

  • Adjusting properties of generated groups: When Group Family creates a new group to accommodate a given grouping, the name and other properties of the new group are adjusted in compliance with the rules defined in the Group Family configuration. These rules are also used to determine the container where to create new groups, the group type and scope settings, and Exchange-related settings such as whether to mail-enable the generated groups.

  • Running on a scheduled basis: Group Family is a state-based policy by nature. During each run, it analyses the state of directory data, and performs certain provisioning actions based on the results of that analysis. Group Family can be scheduled to run at regular intervals, ensuring that all the groups are in place and the group membership lists are current and correct. In addition, Group Family can be run manually at any time.

  • Action summary log: Active Roles provides a log containing summary information about the last run of Group Family. The log includes descriptions of the error situations, if any occurred during the run, and summarizes the quantitative results of the run, such as the number of updated groups, the number of created groups, and the number of objects that have group memberships changed.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating