立即与支持人员聊天
与支持团队交流

Active Roles 8.2.1 - Feature Guide

Introduction About Active Roles
Main Active Roles features Technical overview of Active Roles
About presentation components Overview of service components About network data sources About security and administration elements About Active Directory security management Customization using ADSI Provider and script policies About dynamic groups About workflows Operation in multi-forest environments
Examples of use
Administrative rules and roles
About Managed Units About Access Templates About Access Rules About rule-based autoprovisioning and deprovisioning
Configuring and administering Active Roles Overview of Active Roles Synchronization Service Support for AWS Managed Microsoft AD FIPS compliance LSA protection support STIG compliance

About custom script policies

Active Roles provides the ability to implement administrative policies by running user-developed scripts. This makes it possible to:

  • Facilitate the provisioning of user accounts: Populate user properties through external database integration and automate multi-step provisioning tasks.

  • Maintain the integrity of directory content: Prevent inconsistency of Active Directory data by enforcing update-sequence and data-format policies across the enterprise.

  • Enforce business rules: Maintain security design and capture administration expertise by integrating business rules into the administrative workflow.

Once configured, the custom script-based policies are enforced without user interaction. Active Roles automatically handles the execution of policy scripts that supplement particular administrative operations and trigger additional administrative actions. For example, policy scripts can be used to:

  • Perform a sophisticated validity check on input data.

  • Synchronously change information in multiple data sources, such as the Active Directory store, Microsoft Exchange Server, and HR or ERP-system database.

  • Ensure that delegated administrators follow a prescribed administrative workflow.

  • Link multiple administrative tasks into one operator transaction.

About dynamic groups

Active Roles helps streamline group maintenance by defining group membership dynamically, with rule-based membership criteria. Dynamic group membership eliminates the need to manually update membership lists for security and distribution groups.

To automate the maintenance of group membership lists, Active Roles provides:

  • Rule-based mechanism that automatically adds and removes objects to groups whenever object attributes change in Active Directory.

  • Flexible membership criteria that enable both query-based and static population of groups.

The membership criteria fall into these categories:

  • Include Explicitly: Ensures that specified objects are included in the membership list, regardless of any changes made to the objects.

  • Include by Query: Populates the membership list with objects that have certain properties. When an object is created, or when its properties are changed, Active Roles adds or removes it from the membership list (depending on whether the object’s properties match the search criteria).

  • Include Group Members: Populates the membership list with members of specified selected groups. When an object is added or removed from the selected groups, Active Roles adds or removes that object from the membership list.

  • Exclude Explicitly: Ensures that specified objects are not in the membership list, regardless of any changes made to the objects.

  • Exclude by Query: Ensures that objects with certain properties are not in the membership list. Active Roles automatically removes objects from the membership list (depending on whether the objects’ properties match the search criteria).

  • Exclude Group Members: Ensures that members of specified groups are not in the membership list. When an object is added to any one of the selected groups, Active Roles automatically removes that object from the membership list.

These membership criteria are also applicable to Managed Units.

About workflows

Active Roles provides a rich workflow system for directory data management automation and integration. Based on the Microsoft Windows Workflow Foundation technology, this workflow system enables IT to define, automate and enforce management rules quickly and easily. Workflows extend the capabilities of Active Roles by delivering a framework that enables combining versatile management rules such as provisioning and deprovisioning of identity information in the directory, enforcement of policy rules on changes to identity data, routing data changes for approval, e-mail notifications of particular events and conditions, as well as the ability to implement custom actions using script technologies such as Microsoft Windows PowerShell or VBScript.

Suppose you need to provision user accounts based on data from external systems. The data is retrieved and then conveyed to the directory by using feed services that work in conjunction with Active Roles. A workflow can be created to coordinate the operations in account provisioning. For example, different rules can be applied for creating or updating accounts held in different containers.

Workflows may also include approval rules that require certain changes to be authorized by designated persons (approvers). When designing an approval workflow, the administrator specifies which kind of operation causes the workflow to start, and adds approval rules to the workflow. The approval rules determine who is authorized to approve the operation, the required sequence of approvals, and who needs to be notified of approval tasks or decisions.

By delivering email notifications, workflows extend the reach of management process automation throughout the enterprise. Notification activities in a workflow let people be notified via email about events, conditions or tasks awaiting their attention. For example, approval rules can notify of change requests pending approval, or separate notification rules can be applied to inform about data changes in the directory. Notification messages include all necessary supporting information, and provide hyperlinks enabling message recipients to take actions using a standard web browser.

The logic of an automated management process can be implemented by using administrative policies in Active Roles. Yet creating and maintaining complex, multi-step processes in that way can be challenging. Workflows provide a different approach, enabling IT administrators to define a management process graphically. This can be faster than building the process by applying individual policies, and it also makes the process easier to understand, explain and change.

About workflow features and activities

Active Roles supports the following major workflow features and activities:

Getting started

To get started with workflows, see the following resources:

  • For more information on the listed workflow features and activities, see the linked sections.

  • For more information on workflows in general, see Workflows in the Active Roles Administration Guide.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级