Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Active Roles Integration

Active Roles Integration

Active Roles Integration

One Identity Manager supports the connection of Active Directory systems through an integrated Active Roles connector. Additional Active Directory relevant functionality, for example Microsoft Exchange, Office Communication Services or Active Directory Lightweight Directory Service (AD LDS) is not supported through this connector.

The One Identity Manager is assumed to be master in the default configuration of processes and synchronization behavior and is allowed to bypass Active Roles workflows. Default behavior requires an administrative account. Active Roles workflows can still be controlled by the integrated Active Roles connector. You may need to define custom processes in One Identity Manager in order to use this functionality.

NOTE: For more detailed information about applying, managing and configuring One Identity Active Roles, see your Active Roles documentation.

Note: This guide only goes into specific features of using the Active Roles Connector. See the documentation for managing Active Directory with One Identity Manager in the One Identity Manager Administration Guide for Connecting to Active Directory.

Architecture Overview

Architecture Overview

The following servers are used for managing an Active Directory system with One Identity Manager and Active Roles:

  • Active Roles server

    Active Roles server, which establishes the connection to the Active Directory domain controller. The synchronization server connects to the Active Roles server.

  • Synchronization server

    One Identity Manager Service communication with Active Roles is executed from the synchronization server. The One Identity Manager Service is installed on this server with the Active Roles connector. Entries which are necessary for synchronization and administration with the One Identity Manager database are processed by the synchronization server. The synchronization server connects to the Active Roles server.

The One Identity Manager Active Roles connector uses the Active Roles ADSI interface for communicating with an Active Roles instance. The Active Roles connector is used for synchronization and provisioning Active Directory. The Active Roles connector connects to an Active Roles instance, which then connects to the Active Directory domain controller.

Figure 1: Architecture for synchronization

Migrating Data between the One Identity Manager and Active Roles

Migrating Data between the One Identity Manager and Active Roles

Scenario

An Active Roles domain managed by Active Directory should be managed with One Identity Manager. Active Roles Self-Service Manager is not implemented.

Select one of the following editions modules when you install the One Identity Manager database:

  • One Identity Manager Active Directory Edition
  • One Identity Manager

Initial synchronization of the Active Directory domains with One Identity Manager must done with the Active Roles connector. All other synchronizations are also done with the Active Roles connector.

  • Create a synchronization project with the Synchronization Editor by using the default project template for Active Roles.
Scenario

An Active Roles domain managed by Active Directory should be managed with One Identity Manager. Active Roles Self-Service Manager is implemented. The functionality should transferred to the One Identity Manager IT Shop.

Select one of the following editions modules when you install the One Identity Manager database:

  • One Identity Manager Active Directory Edition
  • One Identity Manager

Transfer of Active Roles Self-Service Manager functionality into the One Identity Manager's IT Shop is directly supported in the One Identity ManagerActive Directory Edition. If you are using the One Identity Manager Edition, run the following steps before initial synchronization:

  1. Set the configuration parameter "QER\Policy\GroupAutoPublish" in the Designer.
  2. Set the configuration parameter "QER\ITShop\GroupAutoPublish\ADSGroupExcludeList" in the Designer and specify Active Directory groups which are not to be added automatically to the IT Shop.
  3. Set the configuration parameter "TargetSystem\ADS\ARS_SSM" in the Designer.
  4. Compile the database.

Active Directory domain synchronization with One Identity Manager must be done with the Active Roles connector. All other synchronizations are also done with the Active Roles connector.

  • Create a synchronization project with the Synchronization Editor by using the default project template for Active Roles.
Scenario

An Active Directory domain managed by the Active Roles should be managed with One Identity Manager. Active Directory domain synchronization was done with the Active Directory connector until now.

To manage the Active Directory domains with One Identity Active Roles

  1. Delete the existing synchronization project in the Synchronization Editor.
  2. Create a synchronization project with the Synchronization Editor by using the default project template for Active Roles.
Detailed information about this topic

Configuring Synchronization with Active Directory using Active Roles

Configuring Synchronization with Active Directory using One Identity Active Roles

One Identity Manager supports synchronization with Active Roles version 6.9 and 7.0.

To load Active Directory objects into the One Identity Manager database for the first time

  1. Prepare a user account with sufficient permissions for synchronizing in Active Directory.
  2. The One Identity Manager parts for managing Active Directory systems are available if the configuration parameter "TargetSystem\ADS" is set.

    • Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.
  3. Install and configure a synchronization server and declare the server as Job server in One Identity Manager.
  4. Transfer of Active Roles Self-Service Manager functionality into the One Identity Manager's IT Shop is directly supported in the One Identity ManagerActive Directory Edition. If you are using the One Identity Manager Edition, run the following steps before initial synchronization:

    1. Set the configuration parameter "QER\Policy\GroupAutoPublish" in the Designer.
    2. Set the configuration parameter "QER\ITShop\GroupAutoPublish\ADSGroupExcludeList" in the Designer and specify Active Directory groups which are not to be added automatically to the IT Shop.
    3. Set the configuration parameter "TargetSystem\ADS\ARS_SSM" in the Designer.
    4. Compile the database.
  5. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents