立即与支持人员聊天
与支持团队交流

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Changing the core Administration Service settings

From the Administration Service page in the Configuration Center main window, you can change:

  • The service account.

    Click Change in the Service account area. In the wizard that appears, supply the logon name and password of the domain user account in which you want the Administration Service to run.

  • The Active Roles Admin account.

    Click Change in the Active Roles Admin area. In the wizard that appears, specify the group or user account you want to have the Active Roles Admin rights.

  • The Active Roles database.

    Click Change in the Active Roles database area. In the wizard that appears, specify the database type and the database server instance and the database you want the Administration Service to use, and choose the database connection authentication mode (Windows authentication or SQL Server login). You have the option to specify a separate database for storing management history data.

    NOTE: Azure Databases can be connected only using SQL Server authentication.

Importing configuration data

IMPORTANT: During in-place upgrade, when importing from the source database (Configuration and Management History database), the following database permissions are automatically migrated from the previously used (source) SQL database to the new (destination) SQL database:

  • Active Roles database users with associated permissions.

  • SQL logins mapped to Active Roles database users.

  • Roles.

The service account that is used for performing the in-place upgrade or the import or migration operation should have the following permissions in the SQL Server to perform the operation:

  • db_datareader fixed database role in the source database.

  • db_owner fixed database role and the default schema of dbo in the destination database.

  • sysadmin fixed server role in the destination database.

If a limited SQL access account is used for performing the in-place upgrade, a manual action is required to pre-create the new Active Roles databases. For more information, see Knowledge Base Article 4303098 on the One Identity Support Portal.

By default, the database users, permissions, logins, and roles are imported to the destination database. You can clear the Copy database users, permissions, logins, and roles check box in the following locations depending on the operation:

  • During in-place upgrade: in the Upgrade configuration window.

  • Importing configuration: Import Configuration > Source Database > Configure advanced database properties.

  • Importing management history: Import Management History > Source database > Configure advanced database properties.

NOTE: Depending on the infrastructure, the import operation may take several minutes to complete.

The task of importing configuration data arises when you upgrade the Administration Service. In this case, you need to transfer the Active Roles configuration data from the database used by your Administration Service of the earlier version to the database used by your Administration Service of the new version. To perform this task, click Import configuration on the Administration Service page in the Configuration Center main window, and follow the steps in the Import configuration wizard that appears.

The Import configuration wizard prompts you to specify the Active Roles database from which you want to import the configuration data (source database) and identifies the database of the current Administration Service to which the configuration data will be imported (destination database), letting you choose the connection authentication mode (Windows authentication, SQL Server login or Azure AD login) for each database.

The Add-on advisor page displays all the pre-installed add-ons for the earlier version of Active Roles. These Add-ons must be uninstalled manually from the earlier version using the Active Roles Add-on Manager and from the system where ever applicable, before continuing configuration import.

The Azure Tenant association page displays the lists of configured Azure tenants in the source database and options for association. The Azure Tenant association section notifies you to select an Azure tenant from the drop-down list of Azure tenants configured in the source database, and the selected Azure tenant is associated with all Azure objects in the destination database. You can also choose to Run Azure Tenant association immediately or Schedule Azure Tenant association, where you select the date and time from the Calendar to run the Azure tenant association.

NOTE: Consider the following when running Azure Tenant association:

  • If Azure Tenant association is scheduled at a certain time and the upgrade/import operation is still in progress or completes after the Azure Tenant association scheduled time, the tenants are not associated. You have to run the built-in scheduled task Update Azure Objects Associated Tenant Id from the Active Roles Console to manually associate the Azure Tenants.

  • Alternatively, Azure Tenant association can be run at any time using the template workflow Update Azure Objects Associated Tenant Id available in the built-in Workflow Container. The parameter in the script used by the workflow can be configured with the required tenant ID. You can use the drop-down to select a default Azure Tenant from the list of available Azure Tenants. The script used by the workflow can be modified to Search Azure objects based on the requirement.

The Services association page displays options to configure the Administration Services for running Dynamic Groups, Group Families, and Scheduled tasks. You can choose to run the Services association immediately or Schedule Service association.

NOTE: If Services association is scheduled at a certain time and the upgrade/import operation is still in progress or completes after the Services association scheduled time, the services are not associated. You have to run the built-in scheduled task Update Services To Execute On from the Active Roles Console to manually associate the Services.

To ensure Dynamic Groups, Group Families, and Scheduled tasks continue to function after an import the installation configures the new Active Roles server as the executing server for the tasks mentioned above. The configuration mentioned in the Services association page runs after an upgrade.

NOTE: Consider the following when running Services association:

  • Alternatively, Services association can be performed any time using the template workflow Update Services To Execute On available in the built-in Workflow Container. The parameters in the script used by the workflow can be configured to the required Administration Services, such as, Dynamic Group Service, Group Family Service, Scheduled Task Service. You can select the Administration Service from the drop-down list. The drop-down list displays all the currently running Administration Services that are connected to the current configuration database. If the parameter value is not selected, then the current Administration Service is used.

  • Services association does not update certain scheduled tasks, For example, scheduled tasks that cannot be edited (Managed Object Counter) or scheduled tasks that are set to All servers option.

After successfully uninstalling the add-ons, the wizard performs the import operation. During the import operation, the wizard retrieves and upgrades the data from the source database, and replaces the data in the destination database with the upgraded data from the source database.

For further information and step-by-step instructions, see “Importing configuration data” in the Active Roles Quick Start Guide.

Importing Management History data

IMPORTANT: During in-place upgrade, when importing from the source database (Configuration and Management History database), the following database permissions are automatically migrated from the previously used (source) SQL database to the new (destination) SQL database:

  • Active Roles database users with associated permissions.

  • SQL logins mapped to Active Roles database users.

  • Roles.

The service account that is used for performing the in-place upgrade or the import or migration operation should have the following permissions in the SQL Server to perform the operation:

  • db_datareader fixed database role in the source database.

  • db_owner fixed database role and the default schema of dbo in the destination database.

  • sysadmin fixed server role in the destination database.

If a limited SQL access account is used for performing the in-place upgrade, a manual action is required to pre-create the new Active Roles databases. For more information, see Knowledge Base Article 4303098 on the One Identity Support Portal.

By default, the database users, permissions, logins, and roles are imported to the destination database. You can clear the Copy database users, permissions, logins, and roles check box in the following locations depending on the operation:

  • During in-place upgrade: in the Upgrade configuration window.

  • Importing configuration: Import Configuration > Source Database > Configure advanced database properties.

  • Importing management history: Import Management History > Source database > Configure advanced database properties.

Although this task looks similar to the task of Importing configuration data, there are important differences:

  • Due to a much larger volume of management history data compared to configuration data, importing management history data takes much longer than importing configuration data.

  • As management history data has dependencies on configuration data (but not vice versa), configuration data must be imported first, and then management history data can be imported as needed.

Because of these considerations, Configuration Center provides a different wizard for importing management history. The distinctive features of the Import Management History wizard are as follows:

  • The wizard does not replace the existing data in the destination database. It only retrieves and upgrades management history records from the source database, and then adds the upgraded records to the destination database.

  • The wizard allows you to specify the date range for the management history records you want to import, so you can import only records that occurred within a particular time frame instead of importing all records at a time.

  • Canceling the wizard while the import operation is in progress does not cause you to lose the import results, so you can stop the import operation at any time. The records imported by the time that you cancel the wizard are retained in the destination database. If you start the wizard again, the wizard imports only records that were not imported earlier.

To start the Import Management History wizard, click Import Management History on the Administration Service page in the Configuration Center main window. The wizard prompts you to specify the Active Roles database from which you want to import the Management History data (source database) and identifies the database of the current Administration Service to which the Management History data will be imported (destination database), letting you choose the connection authentication mode (Windows authentication, SQL Server login, or Azure AD login) for each database. Then, the wizard lets you choose whether you want to import all Management History records or only records within a certain date range, and performs the import operation. During the import operation, the wizard retrieves and upgrades Management History records from the source database, and adds the upgraded records to the destination database.

For further information and step-by-step instructions, see “Importing Management History data” in the Active Roles Quick Start Guide.

Viewing the state of the Administration Service

On the Administration Service page in the Configuration Center main window, you can view the state of the Administration Service, such as:

  • Ready for use: Administration Service is running and ready to process client requests.

  • Getting ready: Administration Service has just started and is preparing to process client requests.

  • Stopping: Administration Service is preparing to stop.

  • Stopped: Administration Service is stopped.

  • Unknown: Unable to retrieve the state information.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级