立即与支持人员聊天
与支持团队交流

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

If-Else activity

An If-Else activity is used to conditionally run one of two or more alternative branches depending on the conditions defined on the branches. It contains an ordered set of branches and runs the first branch whose condition evaluates to TRUE. You can add as many branches as you want to an If-Else activity, and you can add as many activities as you want to every branch.

Each branch of an If-Else activity may have an individual condition set on it. When an If-Else activity starts, if evaluates the condition on its first (leftmost) branch. If that condition is met, Active Roles runs the activities of that branch; otherwise, Active Roles evaluates the condition on the next branch (from left to right), and so on.

When configuring If-Else branch conditions, consider the following:

  • Active Roles runs only the first branch whose condition is evaluated to TRUE.

  • An If-Else activity can finish without any of its branches being initiated, if the condition of each branch is evaluated as FALSE.

If no condition is defined for a branch, Active Roles considers that branch to be always TRUE. Therefore, the final (rightmost) branch normally must have no condition, so that it is always evaluated as TRUE. This way, the final branch acts as the Else branch that runs if the conditions on the other branches are not fulfilled.

TIP: To ensure that at least one activity is run from a branch, make sure that you define no running condition for the last branch of an If-Else activity.

If-Else branch conditions

An If-Else activity is intended to select exactly one branch of the activity from a given set of branches. For each branch, the activity checks the branch conditions and executes the first of the branches whose condition evaluates to TRUE.

When you configure an If-Else branch, you need to add at least one condition, but you are not limited in the number of conditions that you can add for a given branch. You can add, delete, and group conditions using various operators. It is possible to nest condition groups within other condition groups to achieve the results that you want.

A condition group contains one or more conditions connected by the same logical operator. By grouping conditions, you specify that those conditions should be evaluated as a single unit. The effect is the same as if you put parentheses around an expression in a mathematical equation or logic statement.

By default, a single, implied condition group is created when you add a branch condition. You can create additional condition groups to group a set of conditions and nest grouped conditions within other condition groups.

In a condition group, conditions are connected using the AND, OR, NOT AND, or NOT OR logical operator:

  • AND group evaluates to TRUE if all conditions in the group are TRUE.

  • OR group evaluates to TRUE if any condition in the group is TRUE.

  • NOT AND group evaluates to TRUE if any condition in the group evaluates to FALSE.

  • NOT OR group evaluates to TRUE if all conditions in the group evaluate to FALSE.

By default, AND is the logical operator between the conditions in a condition group. It is possible to change the logical operator by converting the condition group to a different group type: Click the name of the group, point to Convert condition group to, and then click the option appropriate to the desired logical operator.

By default, AND is the logical operator between the conditions in a condition group. It is possible to change the logical operator by converting the condition group to a different group type.

When you add a condition, the Workflow Designer first prompts you to specify what you want the condition to evaluate. The following options are available:

  • Property of workflow initiator: This option is intended to evaluate the value of a certain property of the user whose request started the workflow. You can select the desired property when you configure a condition.

  • Activity execution status: This option evaluates whether Active Roles encountered an error when running a certain activity. You can select the activity when you configure a condition.

    NOTE: This option requires the activity configuration to allow the workflow to continue even if the activity encounters an error. For more information, see Configuring error handling for a CRUD activity.

  • Workflow parameter value: This option is intended to evaluate the value of a certain parameter of the workflow. You can select the parameter when you configure a condition.

  • Property of object from workflow data context: This option is intended to evaluate the value of a certain property of the object that will be selected by the If-Else activity on the basis of the data found in the workflow environment at the time of executing the workflow. When you configure a branch condition, you can choose the property and specify which object you want the activity to select upon evaluating the condition at workflow run time.

  • Value generated by rule expression: This option is intended to evaluate the string value of a certain rule expression. By using a rule expression, you can compose a string value based on properties of various objects found in the workflow environment at the time of executing the workflow. Active Roles calculates the value of your rule expression upon evaluating the condition at workflow run time.

Within a change workflow, the following options are available in addition to the options listed above:

  • Property of workflow target object: This option is intended to evaluate the value of a certain property of the target object of the request that started the workflow. You can select the property when you configure a condition.

  • Changed value of workflow target object property: This option is intended to evaluate the value that is requested to be assigned to a certain property of the workflow target object, which represents the requested change to the property of the target object of the request that started the workflow. You can select the property when you configure a condition.

  • Approver action choice: This option is intended to evaluate the name of the action button applied by the approver to complete the approval task created by a certain Approval activity. Use this option to determine which action button the approver applied to allow the operation that was subject to approval. You can select the Approval activity when you configure a condition.

Once you have specified the entity or field that you want the condition to evaluate, you can choose a comparison operator and specify a comparison value. The list of options that are available to specify a comparison value depends upon the entity or field you have configured the condition to evaluate. The following table summarizes the comparison value options.

Table 52: Comparison value options

Condition to evaluate

Comparison value options

  • Property of workflow target object

  • Property of workflow initiator

  • Changed value of workflow target object property

  • Workflow parameter value

  • Property of object from workflow data context

  • Value generated by rule expression

  • Text string

  • Property of workflow target object

  • Property of workflow initiator

  • Changed value of workflow target object property

  • Workflow parameter value

  • Property of object from workflow data context

  • Value generated by rule expression

Activity execution status

  • Not executed

  • Completed successfully

  • Encountered an error

Approver action choice

  • The name of an action button

  • Value generated by script

For a brief description of comparison operators and comparison value options, see Search filter.

Error handling – If-Else activity

When configuring an If-Else activity, you can choose whether to suppress errors encountered by that activity. The following option is available: Continue workflow even if this activity encounters an error. If this option is not selected (default setting), then an error condition encountered by the activity causes Active Roles to stop the workflow. If you select this option, the workflow continues regardless of whether or not the If-Else activity or any activity within the If-Else activity encounters an error condition.

Stop/Break activity

A Stop/Break activity is used to immediately end all activities of a running workflow instance. You can use it within a branch of an If-Else activity, so as to terminate the workflow once a certain condition occurs.

An example is a requirement for the validation of the requested data changes to deny certain operations because applying such operations would result in unacceptable data being written to the directory. To address this requirement, you can use a workflow with an If-Else branch that runs upon detection of unacceptable data in the requested operation, and add a Stop/Break activity to that branch. In this way, your workflow will block the unwanted operations, safeguarding the directory data.

The Stop/Break activity logs a message when terminating the workflow instance. You can specify a message text as an activity setting to provide the reason for the workflow instance termination. The activity includes that message in the event that is recorded to the Active Roles event log on the computer running the Active Roles Administration Service.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级