Chat now with support
Chat with Support

Active Roles 8.2.1 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Removing temporal members

You can remove temporal group members in the same way as regular group members. Removing a temporal member of a group deletes the temporal membership settings for that object with respect to that group. As a result, the object will not be added to the group. If the object already belongs to the group at the time of removal, then it is removed from the group.

To remove a temporal member of a group

  1. In the Active Roles Console, right-click the group, and then click Properties.

  2. On the Members tab in the Properties dialog, click the member, click Remove, and then click Apply.

NOTE: You can remove an object that is a temporal member of a group by managing the object rather than the group. Open the Properties dialog for that object, and then, on the Member Of tab, select the group from the list and click Remove.

Group Family

With Group Family, you can view or modify the start time and end time settings by managing an object rather than groups in which the object has memberships. Open the Properties dialog for that object, and then, on the Member Of tab, select the group for which you want to manage the start or end time setting of the object and click Temporal Membership Settings.

On the Members or Member Of tab, you can change the start or end time setting for multiple members or groups at a time. From the list on the tab, select two or more items and click Temporal Membership Settings. Then, in the Temporal Membership Settings dialog, select check boxes to indicate the settings to change and make the changes you want.

Provides for a separate category of rule-based policies specific to group auto-provision. Each policy of that category, referred to as Group Family, acts as a control mechanism for creating and populating groups.

Group Family automatically creates groups and maintains group membership lists in compliance with configurable rules, allowing group membership to be defined as a function of object properties in the directory. Group Family also allows for creation of new groups based on new values encountered in object properties.

For instance, in order to manage groups by geographical location, a Group Family can be configured to create and maintain groups for every value found in the City property of user accounts. Group Family discovers all values of that property in the directory and generates a group for each, populating the group with the users that have the same value of the City property. If a new value is assigned to the City property for some users, Group Family automatically creates a new group for those users. If a user has the value of the City property changed, Group Family modifies the group membership for that user accordingly.

The configuration of a Group Family does not have to be limited to a single property of objects. Rather, it can combine as many properties as needed. For example, a Group Family can be set up to look at both the Department and City properties. As a result, Group Family creates and maintains a separate group for each department in each geographical location.

Design overview of Group Family

The key design elements of Group Family are as follows:

  • Scoping by object location: This determines the directory containers that hold the objects to be managed by Group Family. The scope of Group Family can be limited to certain containers, thereby causing it to affect only the objects in those containers.

  • Scoping by object type and property: This determines the type of objects, such as User or Computer, to be managed by Group Family. Thus, the scope of Group Family can be limited to a set of objects of a certain type. The scope can be further refined by applying a filter in order for Group Family to manage only those objects that meet certain property-related conditions.

  • Grouping by object property: Group Family breaks up the set of managed objects (scope) into groupings, each of which is comprised of the objects with the same combination of values of the specified properties (referred to as group-by properties). For example, with Department specified as a group-by property for user objects, each grouping only includes the users from a certain department.

  • Creating or capturing groups: For each grouping, Group Family normally creates a new group to associate (link) with the grouping, and ensures the members of the grouping are the only members of that group. When creating groups to accommodate groupings, Group Family uses group naming rules that are based on the values of the group-by properties. Another option is to manually link existing groups with groupings; this operation is referred to as capturing groups.

  • Maintaining group membership lists based on groupings: During each subsequent run of Group Family, the groupings are re-calculated, and their associated groups are updated to reflect the changes in the groupings. This process ensures that the group associated with a given grouping holds exactly the same objects as the grouping. If a new grouping found, Group Family creates a group, links the group to the new grouping, and populates the group membership list with the objects held in that grouping.

  • Adjusting properties of generated groups: When Group Family creates a new group to accommodate a given grouping, the name and other properties of the new group are adjusted in compliance with the rules defined in the Group Family configuration. These rules are also used to determine the container where to create new groups, the group type and scope settings, and Exchange-related settings such as whether to mail-enable the generated groups.

  • Running on a scheduled basis: Group Family is a state-based policy by nature. During each run, it analyses the state of directory data, and performs certain provisioning actions based on the results of that analysis. Group Family can be scheduled to run at regular intervals, ensuring that all the groups are in place and the group membership lists are current and correct. In addition, Group Family can be run manually at any time.

  • Action summary log: Active Roles provides a log containing summary information about the last run of Group Family. The log includes descriptions of the error situations, if any occurred during the run, and summarizes the quantitative results of the run, such as the number of updated groups, the number of created groups, and the number of objects that have group memberships changed.

How Group Family works

The Group Family configuration specifies rules to determine:

  • Scope: The set of directory objects managed by Group Family is referred to as scope. The scope can be limited to objects of a certain category (such as User objects) located in certain Organizational Units. Filtering can be applied to further refine the scope.

  • Groupings: Group Family divides the scope into sub-sets referred to as groupings. Each grouping consists of objects with the same values of certain properties, referred to as group-by properties. Each grouping is identified by a certain combination of values of the group-by properties, with a list of all the combinations being stored and maintained as part of the Group Family configuration.

  • Group names: Unless otherwise specified, Group Family creates a new group for each new grouping found, with the group name being generated in accordance with the group naming rules. It is also possible to manually assign existing groups to some groupings, causing Group Family to capture those groups.

  • Links: For each grouping, Group Family creates or captures a group, links the group to the grouping, and populates the group with the objects found in the grouping. During each subsequent run, Group Family uses the link information to discover the group linked to the grouping, and updates the membership list of that group to reflect the changes in the grouping. The groups known to Group Family via the link information are referred to as controlled groups.

During the first run, Group Family performs as follows:

  1. The scope is calculated and analyzed to build a list of all the existing combinations of values of the group-by properties. The list is then added to the Group Family configuration.

  2. For each combination of values, a grouping is calculated consisting of all objects in the scope that have the group-by properties set to the values derived from that combination.

  3. For each grouping, a group is created or captured, and linked to the grouping. The Group Family configuration is updated with information about those links. Whether to create or capture a group is determined by the Group Family configuration.

  4. For each group linked to a certain grouping (controlled group), the membership list is updated to only include the objects found in that grouping. All the existing members are removed from the group and then all the objects found in the grouping are added to the group.

During a subsequent run, Group Family performs as follows:

  1. The scope is calculated and analyzed to build up a list of all the existing combinations of values of the group-by properties. The Group Family configuration is then updated with that list.

  2. For each combination of values, a grouping is calculated consisting of all objects in the scope that have the group-by properties set to the values derived from that combination.

  3. For each grouping, a link information-based search is performed to discover the group linked to that grouping. If the group has been found, its membership list is updated so the group only includes the objects found in the grouping. Otherwise, a group is created or captured, linked to the grouping, and populated with the objects found in the grouping.

When creating a group to accommodate a given grouping, Group Family uses the group naming rules to generate a name for that group. The rules define a name based on the combination of values of the group-by properties that identifies the grouping. The group naming rules are stored as part of the Group Family configuration.

When capturing an existing group to accommodate a given grouping, Group Family uses a group-to-grouping link created manually and stored as part of the Group Family configuration. The link specifies the combination of values of the group-by properties to identify the grouping, and determines the group to be linked to that grouping.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating