立即与支持人员聊天
与支持团队交流

Active Roles 8.0.1 LTS - Feature Guide

Introduction Administrative rules and roles Using Active Roles Configuring and administering Active Roles FIPS compliance LSA protection support

Viewing the core Administration Service settings

On the Administration Service page of the Configuration Center, you can check:

  • The login name of the Active Roles service account.

  • The name of the group or user account that has the Active Roles Admin rights.

  • The SQL Server instance that hosts the Active Roles database and the name of the Active Roles database.

  • The database connection authentication mode (Windows authentication or SQL Server authentication).

Modifying the core Administration Service settings

On the Administration Service page of the Configuration Center, you can change:

  • The service account. To do so, click Service account > Change. Then, in the wizard that appears, specify the login name and password of the domain user account, or if using a group Managed Service Account (gMSA), the service account details in which you want the Administration Service to run.

  • The Active Roles Admin account. To do so, click Active Roles Admin > Change. Then, in the wizard that appears, specify the group or user account you want to have the Active Roles Admin rights.

  • The Active Roles database. To do so, click Active Roles database > Change. Then, in the wizard that appears, specify the SQL Server instance and the database you want the Administration Service to use, and select the database connection authentication mode (Windows authentication or SQL Server login). You can also specify a separate database for storing management history data.

Importing configuration data

IMPORTANT:

During in-place upgrade, when importing from the source database (Configuration and Management History database), the following database permissions are automatically migrated from the previously used (source) SQL database to the new (destination) SQL database:
  • Active Roles database users with associated permissions.

  • SQL logins mapped to Active Roles database users.

  • Roles.

The service account that is used for performing the in-place upgrade or the import or migration operation should have the following permissions in the SQL Server to perform the operation:

  • db_datareader fixed database role in the source database.

  • db_owner fixed database role and the default schema of dbo in the destination database.

  • sysadmin fixed server role in the destination database.

If a limited SQL access account is used for performing the in-place upgrade, a manual action is required to pre-create the new Active Roles databases. For more information, see Knowledge Base Article 4303098 on the One Identity Support Portal.

By default, the database users, permissions, logins, and roles are imported to the destination database. You can clear the Copy database users, permissions, logins, and roles check box in the following locations depending on the operation:

  • During in-place upgrade: in the Upgrade configuration window.

  • Importing configuration: Import Configuration > Source Database > Configure advanced database properties.

  • Importing management history: Import Management History > Source database > Configure advanced database properties.

The configuration operations available in the Configuration Center are fully scriptable using the Windows PowerShell command-line tools of the Active Roles Management Shell. For more information, see Active Roles Management Shell.

When upgrading the Administration Service, you must import configuration data from the earlier version of Active Roles to the new version of the product. To do so, in the Configuration Center, click Administration Service > Import Configuration, then follow the steps in the wizard that appears.

The wizard will prompt you to specify the Active Roles database from which you want to import the configuration data (known as the "source database"), then it will identify the current Administration Service database to which it will import the configuration data (known as the "destination database"). After that, you must choose the connection authentication mode (Windows authentication or SQL Server login) for each database. The wizard then performs the import operation.

During the import operation, the wizard retrieves and upgrades the data from the source database, and replaces the data in the destination database with the upgraded data from the source database.

Importing management history data

IMPORTANT:

During in-place upgrade, when importing from the source database (Configuration and Management History database), the following database permissions are automatically migrated from the previously used (source) SQL database to the new (destination) SQL database:
  • Active Roles database users with associated permissions.

  • SQL logins mapped to Active Roles database users.

  • Roles.

The service account that is used for performing the in-place upgrade or the import or migration operation should have the following permissions in the SQL Server to perform the operation:

  • db_datareader fixed database role in the source database.

  • db_owner fixed database role and the default schema of dbo in the destination database.

  • sysadmin fixed server role in the destination database.

If a limited SQL access account is used for performing the in-place upgrade, a manual action is required to pre-create the new Active Roles databases. For more information, see Knowledge Base Article 4303098 on the One Identity Support Portal.

By default, the database users, permissions, logins, and roles are imported to the destination database. You can clear the Copy database users, permissions, logins, and roles check box in the following locations depending on the operation:

  • During in-place upgrade: in the Upgrade configuration window.

  • Importing configuration: Import Configuration > Source Database > Configure advanced database properties.

  • Importing management history: Import Management History > Source database > Configure advanced database properties.

Although importing management history data during an upgrade looks similar to importing configuration data, importing management history information is different because of two main reasons:

  • Management history data typically has a much larger volume than configuration data. Because of this, importing configuration data takes much longer.

  • Management history data has dependencies on configuration data (while configuration data has no dependencies on management history data). Because of this, during an Active Roles upgrade process, you must import the configuration data first, then (optionally) the management history data, if needed.

Because of these differences, the Active Roles Configuration Center provides a separate wizard for importing management history data, with the following feature set:

  • The wizard does not replace the existing management history data in the destination database. Instead, it only retrieves and upgrades management history records from the source database, then adds the upgraded records to the destination database.

  • The wizard allows you to specify the date range for the management history data you want to import. This way, you can import only records that occurred within a particular time frame instead of importing every management history record.

  • Canceling the wizard while the management history data import operation is in progress does not result in losing the imported data. Because of this, you can stop the import operation at any time. The records imported by the time of you canceling the wizard are retained in the destination database. If you start the wizard again, the wizard will continue importing the records that have not yet been imported.

To start the wizard, in the Configuration Center, click Administration Service > Import Management History. The wizard will prompt you to specify the Active Roles database from which you want to import the management history data (known as the "source database"), then it will identify the current Administration Service database to which it will import the management history (known as the "destination database"). After that, you must choose the connection authentication mode (Windows authentication or SQL Server login) for each database. The wizard then performs the import operation.

During the import operation, the wizard retrieves and upgrades the management history records of the specified date and time range from the source database, and adds the upgraded records to the destination database.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级