Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Administration Guide for Active Roles Integration

One Identity Active Roles integration Synchronizing Active Directory using One Identity Active Roles Interaction with Active Roles workflows Interaction with Active Roles policies Managing Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for One Identity Active Roles Active Roles connector settings

One Identity Active Roles integration

One Identity Manager supports the connection of Active Directory systems through an integrated Active Roles connector. Additional Active Directory relevant functionality, for example, Microsoft Exchange, Office Communication Services or Active Directory Lightweight Directory Service (AD LDS), is not supported through this connector.

One Identity Manager is assumed to be the primary system in the default configuration of processes and synchronization behavior and is allowed to bypass Active Roles workflows. Default behavior requires an administrative account. Active Roles workflows can still be controlled by the integrated Active Roles connector. You may need to define custom processes in One Identity Manager in order to use this functionality.

NOTE: The Active Directory Module and the Active Roles Module must be installed as a prerequisite for managing Active Directory in One Identity Manager. For more information about installing, see the One Identity Manager Installation Guide.

NOTE: This guide only goes into specific features of using the Active Roles Connector. For more information about managing Active Directory with One Identity Manager, see the One Identity Manager Administration Guide for Connecting to Active Directory.

For more information about applying, managing, and configuring an Active Roles server, see your One Identity Active Roles documentation.

Architecture overview

The following servers are used for managing an Active Directory environment with One Identity Manager and Active Roles:

  • Active Roles server

    Active Roles server that establishes the connection to the Active Directory domain controller. The synchronization server connects to this Active Roles server.

  • Synchronization server

    Communication of the One Identity Manager Service with Active Roles is run from the synchronization server. The One Identity Manager Service with the Active Roles connector is installed on this server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server. The synchronization server connects to the Active Roles server.

The One Identity Manager's Active Roles connector uses the Active Roles ADSI interface for communicating with an Active Roles instance. The Active Roles connector is used for synchronization and provisioning Active Directory. The Active Roles connector connects to an Active Roles instance, which then connects to the Active Directory domain controller.

Figure 1: The synchronization architecture

Migrating data between One Identity Manager and One Identity Active Roles

Scenario

You want to manage an Active Directory domain, currently managed by Active Roles, with One Identity Manager. Active Roles Self-Service Manager is not implemented.

Select one of the following editions modules when you install the One Identity Manager database:

  • One Identity Manager Active Directory Edition

  • One Identity Manager

Initial synchronization of Active Directory domains with One Identity Manager must be carried out by the Active Roles connector. All other synchronization is also carried out by the Active Roles connector.

  • Create a synchronization project with the Synchronization Editor by using the default project template for Active Roles.

Scenario

You want to manage an Active Directory domain, currently managed by Active Roles, with One Identity Manager. Active Roles Self-Service Manager is implemented. The functionality should be transferred to the One Identity Manager‘s IT Shop.

Select one of the following editions modules when you install the One Identity Manager database:

  • One Identity Manager Active Directory Edition

  • One Identity Manager

In the One Identity Manager Active Directory Edition there is direct support for transferring Active Roles Self-Service Manager functionality to the IT Shop One Identity Manager.

If you are using the One Identity Manager Edition, run the following steps before initial synchronization:

  1. In the Designer, set the QER | ITShop | AutoPublish | ADSGroup configuration parameter.

  2. In the Designer, set the QER | ITShop | AutoPublish | ADSGroup | ExcludeList configuration parameter and specify the Active Directory groups that are not to be added automatically to the IT Shop.

  3. In the Designer, set the TargetSystem | ADS | ARS_SSM configuration parameter

  4. Compile the database.

Active Directory domain synchronization with One Identity Manager must be carried out by the Active Roles connector. All other synchronization is also carried out by the Active Roles connector.

  • Create a synchronization project with the Synchronization Editor by using the default project template for Active Roles.

Scenario

You want to manage an Active Directory domain, currently managed by One Identity Manager, with Active Roles. Currently, Active Directory domain synchronization is carried out by the Active Directory connector.

To manage the Active Directory domains with One Identity Active Roles

  1. In the Synchronization Editor, delete the existing synchronization project.

  2. Create a synchronization project with the Synchronization Editor by using the default project template for Active Roles.

Detailed information about this topic

Synchronizing Active Directory using One Identity Active Roles

The One Identity Manager supports synchronization with Active Roles in versions 7.4.1, 7.4.3, 7.4.4, 7.4.5, 7.5, 7.5.2, and 7.5.3.

To load Active Directory objects into the One Identity Manager database for the first time

  1. Prepare a user account with sufficient permissions for synchronization.

  2. One Identity Manager components for managing Active Directory environments are available if the TargetSystem | ADS configuration parameter is enabled. The components for managing Active Roles are available if the TargetSystem | ADS | ARS configuration parameter is set.

    • Check whether the configuration parameters are set in the Designer. Otherwise, set the configuration parameters and compile the database.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    • Other configuration parameters are installed when the modules are installed. Check the configuration parameters and modify them as necessary to suit your requirements.

  3. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  4. In the One Identity Manager Active Directory Edition there is direct support for transferring Active Roles Self-Service Manager functionality to the One Identity Manager IT Shop.

    If you are using the One Identity Manager Edition, run the following steps before initial synchronization:

    1. In the Designer, set the QER | ITShop | AutoPublish | ADSGroup configuration parameter.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    2. In the Designer, set the QER | ITShop | AutoPublish | ADSGroup | ExcludeList configuration parameter and specify the Active Directory groups that are not to be added automatically to the IT Shop.

      Example:

      .*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

    3. In the Designer, set the TargetSystem | ADS | ARS_SSM configuration parameter

    4. Compile the database.

  5. Create a synchronization project with the Synchronization Editor.

TIP: Before you set up synchronization with an Active Directory domain, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating