Active Roles specific extensions for Active Directory groups
To display group data ascertained from Active Directory
- In the Manager, select the Active Directory | Groups category.
- Select the group in the result list.
-
Select the Change master data task.
- Select the tab.
The following properties are displayed:
Table 8: specific properties of an Active Directory group
|
Group is published to Self-Service Manager |
If an Active Directory group is published, the Active Directory group can be requested in the Web Portal immediately after successful synchronization. The data is loaded from on synchronization. This information is published when an Active Directory group is added through the Web Portal in order to start other workflows in if necessary. |
|
Approval by the group owner |
Specifies whether the Active Directory group owner (account manager) must approve group membership. The information affects the approval workflow in the IT Shop. |
|
Approval by a additional owner of the group |
Specifies whether the additional Active Directory group owner must approve group membership. The information affects the approval workflow in the IT Shop. |
|
Additional owners |
List of additional owners Active Directory groups or Active Directory user accounts are permitted. |
|
Deprovisioning status |
Status of deprovisioning sequence through when an object is deleted. The data is loaded from on synchronization.
|
No deprovisioning |
The Active Directory object is enabled. |
|
Deprovisioning successful |
The Active Directory object was successfully deprovisioned |
|
Deprovisioning failed |
An error occurred deprovisioning the Active Directory object. | |
|
Deprovisioning date |
Status of deprovisioning sequence through an when a object is deleted. The information is loaded from the during synchronization. |
Related topics
Deprovisioning Active Directory user accounts and Active Directory groups
One Identity Manager supports deprovisioning through . Based on deprovisioning policies configured in , an Active Directory object is modified such that it is temporarily or permanently disabled and possibly is not deleted until a certain time period has expired. You can find detailed information about deprovisioning in your One Identity Active Roles documentation.
NOTE: The deprovisioning policy configuration in may conflict with the default One Identity Manager configuration. In this case, make any appropriate adjustments to templates or processes, for example.
The following procedures are implemented for deprovisioning Active Directory user accounts and Active Directory groups with One Identity Manager:
- Deprovisioning not deletion
- Quick deprovisioning
Detailed information about this topic
Deprovisioning not deletion
To implement this method
- In the Active Directory domain, set the User accounts deleted by workflows and Groups deleted by workflows options.
If an Active Directory user account or an Active Directory group is deleted in One Identity Manager, a deprovisioning process is generated in the instead of the default deletion process. This process queues the Active Directory object for deprovisioning in , sets a deprovisioned status, and checks the deprovisioning sequence. Active Directory objects continue to be processed in One Identity Manager depending this.
To delete a user account
- Select the Active Directory | User accounts category.
- Select the user account in the result list.
- Delete the user account.
- Confirm the security prompt with Yes.
To delete an Active Directory group
- Select the Active Directory | Groups category.
- Select the group in the result list.
- Delete the group using
.
- Confirm the security prompt with Yes.
Related topics
Quick deprovisioning
You can apply this method if the Active Directory domain is not marked for deprovisioning. The Deprovision task is provided on these objects for the deprovisioning of individual Active Directory user accounts or Active Directory groups.
A deprovisioning process is generated in . This process queues the Active Directory object for deprovisioning in , sets a deprovisioned status, and checks the deprovisioning sequence. Active Directory objects continue to be processed in One Identity Manager depending this.
To deprovision an Active Directory user account
- Select the Active Directory | User accounts category.
- Select the user account in the result list.
- Select the Deprovision task.
- Confirm the security prompt with Yes.
- Confirm with OK.
To deprovision an Active Directory group
- Select the Active Directory | Groups category.
- Select the group in the result list.
- Select the Deprovision task.
- Confirm the security prompt with Yes.
- Confirm with OK.
Related topics
