Chat now with support
Chat with Support

Active Roles 8.2.1 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Creating a provisioning policy for Starling Connect

You can create a new provisioning policy for Starling Connect in the Active Roles Console by configuring a new Policy Object based on the Autoprovisioning in SaaS products policy.

To create a Policy Object for Starling Connect

  1. In the Console tree, navigate to Configuration > Policies > Administration.

  2. To open the New Provisioning Policy Object Wizard dialog, right-click Administration, then select New > Provisioning Policy.

  3. On the Name and Description page, provide a unique Name for the new Policy Object. Optionally, also provide a Description. To continue, click Next.

  4. On the Policy to Configure page, select Autoprovisioning in SaaS products, then click Next.

  5. On the Object Type Selection page, click Select.

    1. On the Select Object Type, from the Object types list, select User or Group, and click OK.

    2. Click Next.

    3. On the Policy Conditions page, from the Starling Connect Connectors list, select the connectors to be provisioned for the user or group as part of the policy. Click Next.

  6. Click Next, then follow the instructions in the wizard to create (and optionally, immediately apply) the Policy Object.

  7. To apply the Policy Object:

    • Use the Enforce Policy page in the New Policy Object Wizard.

    • Alternatively, complete the New Policy Object Wizard, then use the Enforce Policy command on the domain, OU, or Managed Unit where you want to apply the policy.

    For more information on how to apply a Policy Object, see Linking Policy Objects to directory objects.

IMPORTANT: Consider the following when configuring a Policy Object for Starling Connect:

  • To allow SaaS operations for resources (such as users) in a container (such as an Organizational Unit), you must apply the configured policy on the container.

  • SaaS operations for each connector may vary from each other. Each connector may have a set of mandatory attributes to perform any operation.

  • SaaS operations will fail if any of the mandatory attributes are missing from that particular operation request. The notification will report the information of all the mandatory attributes missing in that event which caused the failure. If this happens, create the corresponding virtual attributes, and customize the Web Interface to enter the value for the virtual attribute during the specified operation. Using this approach, the attribute value will be passed as a part of the request.

Configuring Deprovisioning Policy Objects

Deprovisioning Policy Objects allows configuration and application of the following policies.

For more details on how the following Policy Objects work, see the relevant subsections of About Deprovisioning Policy Objects in the Active Roles Feature Guide.

Table 8: Deprovisioning Policy Objects

Policy

Description

User Account Deprovisioning

Modifies the user account to prevent using it for logging in. Use this policy to:

  • Disable user accounts.

  • Set user passwords to a random value.

  • Set user login names to random values.

  • Rename user accounts.

You can also select account properties and configure this policy to update them when processing a deprovisioning request.

For more information on configuring this policy, see Configuring a User Account Deprovisioning policy.

Group Membership Removal

Removes the user account from the specified group(s). Use this policy to remove the account from security groups, mail-enabled groups, or both.

NOTE: In the scope of this policy, "mail-enabled groups" can be distribution groups and mail-enabled security groups as well.

You can also select the groups from which you do not want this policy to remove the user account, or configure the policy not to remove the user account from any security groups or mail-enabled groups.

For more information on configuring this policy, see Configuring a Group Membership Removal policy.

User Account Relocation

Moves the user account to a different location. You can select the Organizational Unit to which you want the policy to move the deprovisioned account.

For more information on configuring this policy, see Configuring a User Account Relocation policy.

Exchange Mailbox Deprovisioning

Deprovisions the Microsoft Exchange resources of the user. Use this policy to:

  • Hide the mailbox from the global address list (GAL).

  • Prevent sending non-delivery reports (NDR).

  • Grant selected users or groups (for example, the manager of the user) full access to the user’s mailbox.

  • Block message forwarding to alternate recipients.

  • Forward all incoming messages to the selected user (for example, the manager of the user).

For more information on configuring this policy, see Configuring an Exchange Mailbox AutoProvisioning policy.

Home Folder Deprovisioning

Prevents the deprovisioned user from accessing their home folder. Use this policy to:

  • Remove the user’s permissions to their home folder.

  • Grant read-only access for the specified users or groups (for example, the manager of the user) to the user’s home folder.

  • Grant ownership for the selected user or group to the user’s home folder.

  • Delete the home folder when the user account is deleted.

For more information on configuring this policy, see Configuring a Home Folder Deprovisioning policy.

User Account Permanent Deletion

Schedules the user account for deletion. You can specify:

  • The number of days (known as "retention period") before the user account is deleted.

  • Moving the user account immediately to the to Active Directory Recycle Bin.

For more information on configuring this policy, see Configuring a User Account Permanent Deletion policy.

Group Object Deprovisioning

Deprovisions the group object(s) in the scope of the policy, preventing their use in Active Directory. Use this policy to:

  • Hide the group in the Global Address List (GAL).

  • Change the group type from Security to Distribution.

  • Rename the group.

  • Remove members from the group.

  • Change or clear any other properties of the group object.

For more information on configuring this policy, see Configuring a Group Object Deprovisioning policy.

Group Object Relocation

Moves the group object(s) to a different container in Active Directory. You can select the Organizational Unit to which you want the policy to move the group.

For more information on configuring this policy, see Configuring a Group Object Relocation policy.

Group Object Permanent Deletion

Schedules the group object(s) for deletion in Active Directory. You can specify:

  • The number of days (known as "retention period") before the group object is deleted.

  • Moving the group object immediately to the to Active Directory Recycle Bin.

For more information on configuring this policy, see Configuring a Group Object Permanent Deletion policy.

Notification Distribution

Sends a notification message about the deprovisioning procedure to the email recipients you specify. You can customize both the message subject and message body.

For more information on configuring this policy, see Configuring a Notification Distribution policy.

Report Distribution

Sends a report about the deprovisioning procedure to the email recipients you specify. The report includes:

  • The list of actions taken during the deprovisioning operation.

  • The details of the deprovisioning activity.

You can set the subject of the email message containing the report. You can also configure this policy to send the report only if any errors occurred during the deprovisioning operation.

For more information on configuring this policy, see Configuring a Report Distribution policy.

Script Execution

Runs the specified script during the deprovisioning operation. Using custom scripts lets you implement custom deprovisioning actions.

For more information on configuring this policy, see Configuring a Script Execution policy.

Office 365 Licenses Retention

Automates the retention of all or the selected Microsoft 365 licenses assigned to the deprovisioned Azure AD user.

For more information on configuring this policy, see Configuring a Microsoft 365 license retention policy.

User Account Deprovisioning

User Account Deprovisioning policies automate the following deprovisioning tasks on user accounts:

  • Disabling the user account.

  • Setting the user password to a random value.

  • Setting the user login names to random values.

  • Renaming the user account.

  • Modifying other properties of the user account (for example, user membership in Managed Units).

After the deprovisioning of the user account is completed, the user will be unable to log in to the network with their credentials.

For a detailed description of this policy, see Concept: User Account Deprovisioning in the Active Roles Feature Guide.

Configuring a User Account Deprovisioning policy

To configure a User Account Deprovisioning policy

  1. On the Policy to Configure page, select User Account Deprovisioning, and then click Next.

    Figure 40: User Account Deprovisioning

  2. On the Option to Prevent Logon page, select the options you want the policy to apply when deprovisioning a user account. You can select any combination of these options:

    • Disable the user account

    • Set the user’s password to a random value

    • Set the user logon name to a random value

    • Set the user logon name (pre-Windows 2000) to a random value

    • Rename the user account to

  3. If you selected Rename the user account to, click Configure, and then complete the Configure Value dialog by using the procedure outlined later in this topic, in order to specify how you want the policy to update the user name when deprovisioning a user account.

  4. Click Next.

  5. On the Properties to Be Updated page, specify how you want the policy to update user properties when deprovisioning a user account:

    • Click Add, and then complete the Select Object Property dialog by using the procedure outlined later in this topic, in order to add property update rules.

    • Use View/Edit to modify existing rules.

    • Use Remove to delete existing rules.

  6. Click Next.

  7. On the Enforce Policy page, you can specify objects to which this Policy Object is to be applied:

    • Click Add, and use the Select Objects dialog to locate and select the objects you want.

  8. Click Next, and then click Finish.

To complete the Configure Value dialog

  1. Click Add.

  2. Configure an entry to include in the value. For more information, see Configuring entry types.

  3. In the Configure Value dialog, add more entries, delete or edit existing ones, and then click OK.

To complete Select Object Property dialog

  1. From the Object property list, select an object property, and then click OK. The Add Value dialog appears.

    If you select multiple properties, the Add Value dialog is not displayed. The properties you have selected are added to the list on the Properties to Be Updated page, with the update rule configured to clear those properties, that is, to assign them the “empty” value.

  2. In the Add Value dialog, do one of the following:

    • Select Clear value if you want the update rule to assign the empty value to the property.

    • Select Configure value if you want the update rule to assign a certain, non-empty value to the property. Then, click Configure and complete the Configure Value dialog by using the instructions given earlier in this topic.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating