Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Active Roles Integration

One Identity Active Roles integration Synchronizing Active Directory using One Identity Active Roles Interaction with Active Roles workflows Interaction with Active Roles policies Managing Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for One Identity Active Roles Active Roles connector settings

Interaction with Active Roles policies

When you are defining templates in One Identity Manager, you need to take the policies defined in Active Roles into account. Values generated in One Identity Manager are passed to the Active Roles connector without checking adherence to the Active Roles policies. If the values that are passed violate the Active Roles policies, the entire process fails. To prevent this, you need to customize the One Identity Manager templates for Active Roles.

For more information about Active Roles policies, see your One Identity Active Roles documentation.

Managing Active Directory objects

You can set up organizational units in a hierarchical container structure in One Identity Manager. Organizational units (divisions or departments) are used to logically organize Active Directory objects like user accounts and groups, thus simplifying administration.

NOTE: In the following, you are provided with details about the special features of managing Active Directory objects using Active Roles. For more information about managing Active Directory with One Identity Manager, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Detailed information about this topic

Adding Active Directory groups automatically to the IT Shop

Before the initial synchronization, perform the following additional steps.

To add groups automatically to the IT Shop

  1. In the Designer, set the QER | ITShop | AutoPublish | ADSGroup configuration parameter.

  2. In the Designer, set the QER | ITShop | AutoPublish | ADSGroup | ExcludeList configuration parameter and specify the Active Directory groups that are not to be added automatically to the IT Shop.

    Example:

    .*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

  3. In the Designer, set the TargetSystem | ADS | ARS_SSM configuration parameter

  4. (Optional) In the Designer, set the QER | ITShop | AutoPublish | ADSGroup | AutoFillDisplayName configuration parameter.

    If the configuration parameter is set, a display name is be created for Active Directory groups if no display name exists yet. The display name of necessary to display the group in the Web Portal, for example. An Active Directory domain managed through Active Roles has its display name formatted only for groups that are published in Active Roles Self-Service Manager.

  5. Compile the database.

The system entitlements are added automatically to the IT Shop from now on.

The following steps are run to add a group to the IT Shop.

  1. A service item is determined for the system entitlement.

    The service item is tested for each system entitlement and modified if required. The name of the service item corresponds to the name of the system entitlement.

    • The service item is modified if the system entitlement has a service item.

    • System entitlements without a service item are allocated a new service item.

    • The service item is enabled or disabled depending on whether the system entitlement is published in Active Roles Self-Service Manager.

  2. The service item is assigned to one of the default service categories.

  3. An application role for product owners is determined and the service item is assigned.

    Product owners can approve requests for membership in these system entitlements. By default, the account manager of a system entitlement is determined as the product owner.

    NOTE: The application role for the product owner must be added under the Request & Fulfillment | IT Shop | Product owner application role.
    • If the account manager of the system entitlement is already a member of an application role for product owners, this application role is assigned to the service item. Therefore, all members of this application role become product owners of the system entitlement.

    • If the account manager of the system entitlement is not yet a member of an application role for product owners, a new application role is created. The name of the application role corresponds to the name of the account manager.

      • If the account manager is a user account or a contact, the user account's identity or the contact's identity is added to the application role.

      • If it is a group of account managers, the identities of all this group's user accounts are added to the application role.

    • If the system entitlement does not have an account manager, the Request & Fulfillment | IT Shop | Product owner | Without owner in AD default application role is used.

  4. The system entitlement is labeled with the IT Shop option and assigned to the Active Directory groups IT Shop shelf in the Identity & Access Lifecycle shop.

Subsequently, the shop's customers can request memberships in system entitlement through the Web Portal.

NOTE: When a system entitlement is irrevocably deleted from the One Identity Manager database, the associated service item is also deleted.

Related topics

Requesting Active Directory groups through the Web Portal

NOTE: If you request group membership, Approval of Active Directory group membership requests in the default installation.

To request a new Active Directory group

  • In the Web Portal, in the Service catalog > Requests menu, select the service category Active Directory groups.

  • Request the Active Directory group using the New Active Directory distribution list or the New Active Directory security group product.

The following steps are automatically run when you request a new Active Directory groups:

  • An entry is created for the Active Directory group in One Identity Manager.

  • The Active Directory group is labeled with the Group is published to Self-Service Manager option.

  • The Active Directory group is labeled with the IT Shop option.

  • The associated service item is created. A new application role is set up with the requester as member. The application role is entered as product owner in the service item.

    Through this procedure, the Active Directory group requester has approval permissions for requesting memberships in this Active Directory group.

  • The Active Directory group is assigned to the shelf Active Directory groups in the Identity & Access Lifecycle default shop.

Active Directory group membership can then be requested by customers of this shop through the Web Portal.

NOTE: If an Active Directory group is permanently deleted from the One Identity Manager database, the associated service item is also deleted.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating