立即与支持人员聊天
与支持团队交流

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Configuring workflow parameters

Workflow parameters are intended for the purpose of passing their value to workflow activities at run time. You can specify parameter values when you configure a workflow. In this case, Active Roles stores the parameter values as part of the workflow definition, and retrieves them as needed when running the workflow. Another option is to use a script for generating the value of a workflow parameter at run time.

You can use parameters to increase the reusability of a workflow; for example, if a value is specified in the configuration of a workflow activity, then you need to reconfigure that activity if you want to change the value. With workflow parameters, you can reuse the existing configuration of the activity by passing the appropriate value through a parameter. Here are some examples of workflow parameter usage:

  • Workflow start conditions: When configuring workflow start conditions, you can create a filter that causes the workflow to start if the properties of the operation request match the value of a certain parameter.

  • If-Else branch conditions: When configuring conditions for an If-Else Branch, you can set up a condition that causes the workflow to choose that branch if a certain parameter has a particular value.

  • Search container: When configuring a Search activity, you can choose the option that causes the activity to search in the Organizational Unit or container identified by the value of a certain parameter.

  • Search filter: When configuring a Search activity, you can set up a search filter condition that causes the activity to search for objects whose properties match the value of a certain parameter.

  • Creation container: You can configure a Create activity with the option to create objects in the Organizational Unit or container identified by the value of a certain parameter.

  • Setting object properties: You can configure a Create activity or Update activity with the option to set or change the properties of the object based on the value of a certain parameter.

  • Selecting target object: You can configure an activity to make changes to the object identified by the value of a certain parameter. This applies to activities intended to make changes to objects in Active Directory, such as Update activity, Add to group activity, Move activity, and so on.

  • Destination container: You can configure a Move activity to move the object to the Organizational Unit or container identified by the value of a certain parameter.

Each parameter has a number of properties that define the parameter, including:

  • Name: Each parameter must have a unique name in the workflow definition.

  • Description: You can use this property to describe the purpose of the parameter.

  • Display name: This property specifies the user-friendly name of the parameter.

  • Syntax: This property determines the data type of the parameter value.

    • String: This syntax indicates that the parameter value is a string of characters. You can type the string when you set the value of the parameter.

    • DateTime: This syntax indicates that the parameter stores a date and time value. You can use the date and time picker to supply the parameter value.

    • DN: This syntax indicates that the parameter value is the Distinguished Name of a certain object. You can use the object picker to supply the parameter value.

    • ObjectGUID: This syntax indicates that the parameter value is the Globally Unique Identifier (GUID) of a certain object. You can use the object picker to supply the parameter value.

    • SID: This syntax indicates that the parameter value is the Security Identifier (SID) of a certain object. You can use the object picker to supply the parameter value.

    • SecureString: This syntax indicates that the workflow definition stores the parameter value in encrypted form using an encryption key provided by the Active Roles service. You can use this syntax to handle sensitive data such as passwords.

    • AttributeName: This syntax indicates that the parameter value is the name of a certain attribute from the directory schema. You can use the attribute picker to supply the parameter value.

  • Number of values: By default, a parameter can store a single value. You can configure a parameter to store a collection of multiple values.

  • Value is required: By default, a parameter may have no value. You can configure a parameter so that the workflow designer does not allow the workflow definition to be saved if no value is assigned to that parameter.

  • List of acceptable values: This property specifies a list of values that are allowed to be assigned to the attribute. If a given parameter has this property, then the Workflow Designer requires a value for that parameter to be selected from the list when you supply the parameter value. When you configure a parameter, you can specify a list explicitly, or you can configure the parameter to use a script that will generate a list of acceptable values or a single value for that parameter at workflow run time.

To add a parameter to a workflow definition

  1. In the Active Roles Console tree, expand Configuration > Policies > Workflow, and select the workflow you want to configure.

    This opens the Workflow Designer in the Details pane, representing the workflow definition as a process diagram.

  2. In the Details pane, click Workflow options and start conditions to expand the area above the process diagram, and then click Configure.

  3. Click the Parameters tab in the dialog that opens.

  4. On the Parameters page, click Add to open the Parameter Definition dialog.

  5. In the Parameter Definition dialog, complete the following fields:

    • Name: In this box, type the name you want to assign to the parameter. The name must be unique in the workflow definition.

    • (Optional) Description: Use this box to type a description of the parameter.

    • Display name: In this box, type the user-friendly name you want to assign to the parameter.

    • Syntax: From this list, select the syntax you want to the parameter to have. See a list of syntax options earlier in this topic.

      If you select the AttributeName syntax option, you are prompted to configure the attribute picker for this parameter. Select the object class whose attributes you want the attribute picker to list by default, and specify whether you want the attribute picker to allow selecting a different object class. You can also specify whether you want the attribute picker to allow selecting a single attribute or multiple attributes.

  6. If you want the parameter to store a collection of multiple values, select the This parameter is multivalued check box.

  7. If you want the Workflow Designer to require that a value be assigned to the parameter, select the This parameter must have a value check box.

  8. If you want to specify a list of acceptable values for the parameter, do one of the following:

    • Configure an explicit list of values by using the Add, Change, and Remove buttons below the Acceptable values box.

    • Click Use script to determine parameter values below the Acceptable values box if you want a list of acceptable values to be generated by a script at workflow run time. Then, click the button next to the Script name box to select the script module containing the desired script. The Script Module must be created beforehand. After you have selected a Script Module, in the Function to define a list of acceptable values list, click the name of the script function. You can choose from the script functions that exist in the Script Module. The function must be designed to return a collection of values that match the syntax of the parameter.

  9. If you want to use a script to assign a value to the parameter at workflow run time, click Use script to determine parameter values below the Acceptable values box. Then, click the button next to the Script name box to select the script module containing the desired script. The Script Module must be created beforehand. After you have selected a Script Module, in the Function to assign a value to this parameter list, click the name of the script function. You can choose from the script functions that exist in the Script Module. The function must be designed to return a value that matches the syntax of the parameter.

Parameters are used to specify certain data when configuring or starting the workflow and then pass that data to workflow activities when the workflow is running. The data is represented as parameter values. To assign a value to a given parameter, select the parameter from the list on the Parameters tab, and then click View or change parameter value.

Adding activities to a workflow

The Active Roles Console provides the Workflow Designer for creating and configuring workflows. First, you create a workflow definition. Then, you use the Workflow Designer to construct the workflow by adding and configuring workflow activities.

To add an activity to a workflow

  1. In the Active Roles Console tree, expand Configuration > Policies > Workflow, and select the workflow to which you want to add an activity.

    This opens the Workflow Designer window in the Details pane, representing the workflow definition as a process diagram.

  2. In the Details pane, drag the activity from the left panel onto the process diagram.

  3. Right-click the name of the activity in the process diagram and click Properties.

  4. Use the Properties dialog to configure the activity.

If you add an activity to the upper part of the diagram (above the Operation execution line), the activity will be run in the pre-running phase of operation processing. For more information, see Workflow processing overview. If you add an activity to the lower part of the diagram (beneath the Operation execution line), the activity will be run in the post-running phase of operation processing. Certain activities, such as an Approval activity, which are intended to run in the pre-running phase, cannot be added to the lower part of the diagram.

In the Properties dialog, you can change the name and description of the activity. These settings are common to all activities. The name identifies the activity in the process diagram. The description appears as a tooltip when you point to the activity in the process diagram. To remove an activity from the process diagram, right-click the name of the activity and click Delete.

Configure an Approval activity

The task of configuring an Approval activity includes the following steps:

  • Choose approvers and configure escalation: You have to specify, at a minimum, a list of approvers for the initial approver level. Active Roles first assigns approval tasks to the approvers of that level. You can configure additional approver levels to enable escalation of approval tasks.

  • Choose properties for the approver to review, supply or change: You can list the object properties that the approver must supply when performing the approval tasks (request for additional information), and choose whether the approver is allowed to view or change the object properties that are submitted for approval (review request).

  • Customize the pages for performing the approval task: You can customize the header of the approval task page by choosing the task title and object properties to be included in the header, and configure custom action buttons in addition to the default action buttons (Approve and Reject).

  • Configure notification: You can choose the workflow events to notify of, specify the notification recipients and delivery options, and customize the notification message.

This section provides instructions on how to:

For more information on how to configure notification settings, see Configuring a Notification activity.

Configure approvers

A valid approval rule must, at a minimum, specify a list of approvers for the initial approver level. Active Roles first assigns the approval task to the approvers of that level. You can configure additional approver levels to enable escalation of approval tasks.

To specify approvers for the initial approver level

  1. In the Active Roles Console tree, expand Configuration > Policies > Workflow, and select the workflow containing the Approval activity you want to configure.

    This opens the Workflow Designer in the Details pane, representing the workflow definition as a process diagram.

  2. In the process diagram, right-click the name of the Approval activity and click Properties.

  3. In the Properties dialog, navigate to the Approvers tab.

  4. Verify that the Initial approver - level 0 item is selected in the Select approver level to configure box.

  5. Click Designate approvers.

  6. On the Approvers Selection page, select check boxes to specify approvers.

  7. If you have selected These users or groups, use the Add and Remove buttons to configure the list of approvers.

If you enable escalation on the initial approver level (see Configure escalation), then you have to specify approvers for escalation level 1 (the escalation level subsequent to the initial approver level). Active Roles allows up to 10 escalation levels, each containing a separate list of approvers. If you enable escalation on a given escalation level, then you have to specify approvers for the subsequent escalation level.

To specify approvers for a certain escalation level

  1. In the Select approver level to configure list, click the escalation level you want to configure.

    To configure a particular escalation level, you must first specify approvers and enable escalation on the preceding approver level.

  2. Click Designate approvers.

  3. On the Approvers Selection page, select check boxes to specify approvers.

  4. If you have selected These users or groups, use the Add and Remove buttons to configure the list of approvers.

The selection of approvers can be based on the Manager or Managed By property:

  • By selecting the Manager of person who requested operation check box, you configure the Approval activity so that the operations requested by a given user require approval from the manager of that user. With this option, the operation initiated by the user submits the approval task to the person specified as the manager of the user in the directory.

  • By selecting the Manager of operation target object or Manager of Organizational Unit where operation target object is located check box, you configure the Approval activity so that the changes to a given object require approval from the manager of that object or from the manager of the OU containing that object, respectively. With these options, the operation requesting changes to a given object submits the approval task to the person specified as the manager of the object or OU in the directory.

  • By selecting the Secondary owners of operation target object check box, you configure the Approval activity so that the changes to the operation target object require approval from any person who is designated as a secondary owner of that object. Secondary owners may be assigned to an object, in addition to the manager (primary owner), to load balance the management of the object.

  • By selecting the Manager of person being added or removed from target group check box, you configure the Approval activity so that the addition or removal of an object from the operation target group requires approval from the manager of that object. For example, given a request to add a user to the operation target group, this option causes the Approval activity to submit the approval task to the person specified as the manager of the user in the directory.

When you specify approvers for an escalation level, additional options are available:

  • Manager of approver of preceding level: Use this option to escalate the approval task to the manager of the user or group that is designated as an approver on the preceding approver level. Suppose a given user is an initial approver, and escalation is enabled on the initial approver level. When escalation occurs, the approval task will be assigned to the manager of that user.

  • Secondary owner of approver of preceding level: Use this option to escalate the approval task to the secondary owner of the user or group that is designated as an approver on the preceding approver level. Suppose a given group is an initial approver, and escalation is enabled on the initial approver level. When escalation occurs, the approval task will be assigned to the secondary owner of that group.

The selection of approvers may also be based on a script function that chooses the approver when the Approval activity is being executed. The function may access properties of objects involved in the operation, analyze the properties, and return an identifier of the user or group to be selected as an approver. For more information and instructions, refer to the Developing Functions for Designating Approvers topic in the Active Roles SDK documentation.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级