Chat now with support
与支持团队交流

Active Roles 7.3.3 - Product Overview

Role-based management

Role-based management of computer resources

Active Roles provides the ability to delegate administration of computer resources, such as services and printers. Delegated administrators can use the Active Roles Web Interface to manage computer resources with a single, consolidated tool. Active Roles, along with the Web Interface, enables the delegation of administrative tasks on the following computer resources:

  • Services  Start or stop a service, view or modify properties of a service.
  • Network File Shares  Create a file share, view or modify properties of a file share, stop sharing a folder.
  • Logical Printers  Pause, resume or cancel printing, list documents being printed, view or modify properties of a printer.
  • Documents being printed (print jobs)  Pause, resume, cancel or restart printing of a document, view or modify properties of a document being printed.
  • Local groups  Create or delete a group, add or remove members from a group, rename a group, view or modify properties of a group.
  • Local users  Create or delete a local user account, set a password for a local user account, rename a local user account, view or modify properties of a local user account.
  • Devices  View or modify properties of a logical device, start or stop a logical device.

Active Roles provides a comprehensive set of Access Templates that are available out of the box for delegating computer management tasks. By applying Access Templates of the “Computer Resources” category to a computer account, the rights of delegated administrators can be specified on the corresponding computer’s resources.

Delegated administrators should use the Web Interface rather than the Active Roles console (MMC Interface) to manage computer resources. Although the console provides certain tools for computer resources management, the console user needs the native administrator rights on the computer in order to use those tools. The rights specified through “Computer Resources” Access Templates have no effect in the tools provided by the console for computer resources management.

 

Technical Overview

Technical overview

Active Roles divides the workload of directory administration and provisioning into three functional layers—presentation components, service components, and network data sources.

The presentation components include client interfaces for the Windows platform and the Web, which allow regular users to perform a precisely defined set of administrative activities. The reporting solution facilitates automated generation of reports on management activities.

The service components constitute a secure layer between administrators and managed data sources. This layer ensures consistent policy enforcement, provides advanced automation capabilities, and enables the integration of business processes for administration of Active Directory, Microsoft Exchange, and other corporate data sources.

The Administration Database stores information about all permission and policy settings, and other data related to the Active Roles configuration.

On a very high level, the Active Roles components work together as follows to manipulate directory data:

  1. An administrator uses the MMC interface or Web interface to access Active Roles.
  2. The administrator submits an operation request, such as a query or data change to the Administration Service.
  3. On receipt of the operation request, the Administration Service checks whether the administrator has sufficient permissions to perform the requested operation (access check).
  4. The Administration Service ensures that the requested operation does not violate the corporate policies (policy enforcement).
  5. The Administration Service performs all actions required by the corporate policies, before committing the request (policy enforcement).
  6. The Administration Service issues operating system function calls to perform the requested operation on network data sources.
  7. The Administration Service performs all related actions required by the corporate policies, after the request is processed by the operating system (policy enforcement).
  8. The Administration Service generates an audit trail that includes records about all operations performed or attempted with Active Roles. Directory-change tracking reports are based on the audit trail.

Let us examine the three component layers.

Presentation Components

Presentation components

The presentation components include user interfaces to serve a variety of needs. The user interfaces accept commands, display communication, and give results in a clear, concise fashion.

Active Roles console (MMC Interface)

The Active Roles console, also referred to as the MMC Interface, is a comprehensive administrative tool for managing Active Directory and Microsoft Exchange. It enables you to specify administrative roles and delegate control, define administrative policies and automation scripts, easily find directory objects, and perform administrative tasks.

Web Interface

Via the Web interface, intranet users with sufficient administrative rights can connect to Active Roles to perform basic administrative tasks, such as modifying user data or adding users to groups. The Web interface provides departmental and help-desk personnel with the administrative capabilities they need.

Custom Interfaces

In addition to the MMC and Web interfaces, Active Roles enables the development of custom interfaces that use the Active Roles ADSI Provider to access the features of Active Roles. Administrators familiar with scripting and programming can create custom interfaces to meet specific needs of the network administration.

Active Roles ADSI Provider

The Active Roles ADSI Provider operates as part of Presentation Components to enable custom user interfaces and applications to access Active Directory services through Active Roles. The Active Roles ADSI Provider translates clients’ requests into DCOM calls and interacts with the Administration Service.

The Active Roles ADSI Provider allows custom scripts and applications, such as Web-based applications, to communicate with Active Directory, while taking full advantage of the security, workflow integration and reporting benefits of Active Roles. For example, using the Active Roles ADSI Provider, Web-based pages can be created such that user property modifications made by help-desk operators are restricted by the corporate rules enforced by Active Roles.

Reporting

Active Roles offers comprehensive reporting to monitor administrative actions, corporate policy compliance, and the state of directory objects. The Active Roles reporting solution includes Data Collector and Report Pack.

Report Pack provides report definitions for creating reports based on the data gathered by Data Collector. Active Roles comes with an extensive suite of report definitions that cover all administrative actions available in this product.

Report Pack is deployed on Microsoft SQL Server Reporting Services (SSRS). You can use the tools included with SSRS to view, save, print, publish, and schedule Active Roles reports.

Data Collector is used to gather data required for reporting. The Data Collector Wizard allows you to configure and schedule data collection jobs.

Once configured, Data Collector retrieves data from various sources, accessing them via the Active Roles Administration Service, and stores the data in a SQL Server database. Data Collector also provides a means for managing the gathered data, including the ability to export or delete obsolete data.

Service Components

Service components

At the core of Active Roles lies the Administration Service. It features advanced delegation capabilities and ensures the reliable enforcement of administrative policies that keep data current and accurate. The Administration Service acts as a bridge between the presentation components and network data sources. In large networks, multiple Administration Services can be deployed to improve performance and ensure fault tolerance.

Data processing component

The data processing component accepts administrative requests and validates them by checking permissions and rules stored in the Administration Database. This component manages the network data sources, retrieving or changing the appropriate network object data based on administrative requests and policy definitions.

The data processing component operates as a secure service. It logs on with domain user accounts having sufficient privileges to access the domains registered with Active Roles (managed domains). The access to the managed domains is limited by the access rights of those user accounts.

Configuration database

The Administration Service uses the configuration database to store configuration data. The configuration data includes definitions of objects specific to Active Roles, assignments of administrative roles and policies, and procedures used to enforce policies. The configuration database is only used to store Active Roles configuration data. It does not store copies of the objects that reside in the managed data sources, nor is it used as an object data cache.

Active Roles uses Microsoft SQL Server to host the configuration database. The replication capabilities of SQL Server facilitate implementation of multiple equivalent configuration databases used by different Administration Services.

Audit trail

The data processing component provides a complete audit trail by creating records in the event log on the computer running the Administration Service. The log shows all actions performed and by whom, including actions that were not permitted. The log entries display the success or failure of each action, as well as which attributes were changed.

相关文档