Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Active Roles Integration

Managing Active Directory Objects

Managing Active Directory Objects

You can set up organizational units in a hierarchical container structure in One Identity Manager. Organizational units (divisions or departments) are used to logically organize Active Directory objects like user accounts and groups, thus simplifying administration.

NOTE: In the following, you are provided with details about the special features of managing Active Directory objects using Active Roles. See the documentation for managing Active Directory with One Identity Manager in the One Identity Manager Administration Guide for Connecting to Active Directory.

Detailed information about this topic

Adding Active Directory Groups automatically to the IT Shop

Adding Active Directory Groups automatically to the IT Shop

Table 9: Configuration Parameter for Automatically Add Groups in the IT Shop
Configuration parameter Description

QER\ITShop\GroupAutoPublish

Preprocessor relevant configuration parameter for automatically adding groups to the IT Shop. This configuration parameter specifies whether all Active Directory and SharePoint target system groups are automatically added to the IT Shop. Changes to the parameter require recompiling the database.

QER\ITShop\GroupAutoPublish\ADSGroupExcludeList

This configuration parameter contains a list of all Active Directory groups for which automatic IT Shop assignment should not take place. Names given in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

.*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

TargetSystem\ADS\ARS_SSM

Preprocessor relevant configuration parameter for controlling the database model components for Active Roles Self-Service Management in the One Identity Manager IT Shop. If the parameter is set, Self-Service Management components are available. Changes to the parameter require recompiling the database.

Transfer of Active Roles Self-Service Manager functionality into the One Identity Manager IT Shop is directly supported in the One Identity Manager Active Directory Edition. If you are using the One Identity Manager Edition, run the following steps before initial synchronization:

To add groups automatically to the IT Shop

  1. Set the configuration parameter "QER\Policy\GroupAutoPublish" in the Designer.
  2. Set the configuration parameter "QER\ITShop\GroupAutoPublish\ADSGroupExcludeList" in the Designer and specify Active Directory groups which are not to be added automatically to the IT Shop.
  3. Set the configuration parameter "TargetSystem\ADS\ARS_SSM" in the Designer.
  4. Compile the database.

The groups are added automatically to the IT Shop from now on.

  • Synchronization ensures that the groups are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor.
  • New groups created in One Identity Manager are added to the IT Shop.

The following step are run to add a group to the IT Shop.

  1. A service item is determined for the group.

    The service item is tested and modified for each group as required. The service item name corresponds to the name of the group. The service item is assigned to one of the default service categories.

    • The service item is modified for groups with service items.
    • Groups without service items are allocated new service items.
    • The service item depends on whether the group, published in the Active Roles Self-Service Manager, is enabled or disabled.
  2. An application role for product owners is determined and the service item is assigned. Product owners can approve requests for membership in these groups. By default, the group's account manager is established as the product owner.

    NOTE: The application role for product owners must be below the application role Request & Fulfillment | IT Shop | Product owners.
    • If the group's account manager is already a member of an application role for product owners, then this application role is assigned to the service item.
    • If the group's account manager is not a member of a product owner application role, a new application role is added. The name of the application role corresponds to the name of the account manager.
      • If the account manager is a user account or a contact, the user account's employee or contact is added to the application role.
      • If you are dealing with a group of account managers, the employees of all user accounts in this group are added to the application role.
    • If the group does not have an account manager, the default application role Request & Fulfillment | IT Shop | Product owner | without owner in AD is used.
  3. The group is labeled with the option IT Shop and assigned to the IT Shop shelf "Active Directory groups" in the shop "Identity & Access Lifecycle".

Then product owners for shop customers group memberships can make requests through the Web Portal.

NOTE: When a One Identity Manager group is irrevocably deleted from the database, the associated service item is deleted.
Related Topics

Creating New Active Directory Groups through the Web Portal

Creating New Active Directory Groups through the Web Portal

Note:If you request group membership, the approval workflow "Approval of AD group membership requests" in the default installation.

To request a new Active Directory group

  • Select the service category "Web Portal groups" in Service catalog | Requests in Active Directory.
  • Request the Active Directory group using the product "New Active Directory distribution list" or "New Active Directory security group".

The following steps are automatically executed when you request a new Active Directory groups:

  • An entry is created in the Active Directory for the One Identity Manager group.
  • The Active Directory group is labeled with the option Group is published to Self-Service Manager.
  • The Active Directory group is labeled with the oIT Shopption .
  • The associated service item is created. A new application role is set up with the requester as member. The application role is entered as product owner in the service item.

    Through this procedure, the Active Directory group requester has approval permissions for requesting memberships in this Active Directory group.

  • The Active Directory group is assigned to the shelf "Active Directory groups" in the default shop "Identity & Access Lifecycle".

Active Directory group membership can then be requested by customers of this shop through the Web Portal.

NOTE: If an Active Directory group is irrevocably deleted from the One Identity Manager database, the associated service item is deleted.

Related Topics

Active Roles Specific Extensions for Active Directory Groups

Active Roles Specific Extensions for Active Directory Groups

To display Active Roles group data ascertained from Active Directory

  1. Select the category Active Directory | Groups in Manager.
  2. Select the group in the result list.
  3. Select Change master data in the task view.
  4. Select the tab Active Roles.

The following properties are displayed:

Table 10: Active Roles Specific Properties of a Active Directory Group
Property Description

Group is published to Self-Service Manager

If an Active Directory group is published, the Active Directory group can be requested in the Web Portal immediately after successful synchronization. The data is loaded from Active Roles on synchronization. This information is published when an Active Directory group is added through the Web Portal in order to start other workflows in Active Roles if necessary.

Approval by the group owner

Specifies whether the Active Directory group owner (account manager) must approve group membership. The information affects the approval workflow in the IT Shop.

Approval by a additional owner of the group

Specifies whether the additional Active Directory group owner must approve group membership. The information affects the approval workflow in the IT Shop.

Additional owners

List of additional owners Active Directory groups or Active Directory user accounts are permitted.

Deprovisioning status

Status of deprovisioning sequence through Active Roles when an object is deleted. The data is loaded from Active Roles on synchronization.

Status Description

No deprovisioning

The Active Directory object is enabled.

Deprovisioning successful

The Active Directory object was successfully deprovisioned

Deprovisioning failed

An error occurred deprovisioning the Active Directory object.

Deprovisioning date

Status of deprovisioning sequence through an Active Roles when a object is deleted. The data is loaded from Active Roles on synchronization.

Related Topics
Related Documents