立即与支持人员聊天
与支持团队交流

Active Roles 7.6.1 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only distribution groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Active Roles integration with other One Identity and Quest products Appendix F: Active Roles integration with Duo Appendix G: Active Roles integration with Okta

Administration Service management tasks

After installing Active Roles, you perform the initial configuration task to create the Administration Service instance, getting it ready for use. Then, you can use Configuration Center to:

  • View or change the core Administration Service settings such as the service account, the Active Roles Admin account, and the database
  • Import configuration data from an Active Roles database of the current version or an earlier version to the current database of the Administration Service
  • Import management history data from an Active Roles database of the current version or an earlier version to the current database of the Administration Service
  • View the state of the Administration Service
  • Start, stop or restart the Administration Service

Here you can find an overview of these tasks.

View the core Administration Service settings

On the Administration Service page in the Configuration Center main window, you can view:

  • The logon name of the service account
  • The name of the group or user account that has the Active Roles Admin rights
  • The SQL Server instance that hosts the Active Roles Configuration database
  • The name of the Active Roles Configuration database
  • The Configuration database connection authentication mode (Windows authentication or SQL Server login)
  • The SQL Server instance that hosts the Active Roles Management History database
  • The name of the Active Roles Management History database
  • The Management History database connection authentication mode (Windows authentication or SQL Server login)

Change the core Administration Service settings

From the Administration Service page in the Configuration Center main window, you can change:

  • The service account

    Click Change in the Service account area. In the wizard that appears, supply the logon name and password of the domain user account in which you want the Administration Service to run.

  • The Active Roles Admin account

    Click Change in the Active Roles Admin area. In the wizard that appears, specify the group or user account you want to have the Active Roles Admin rights.

  • The Active Roles database

    Click Change in the Active Roles database area. In the wizard that appears, specify the database type and the database server instance and the database you want the Administration Service to use, and choose the database connection authentication mode (Windows authentication or SQL Server login). You have the option to specify a separate database for storing management history data.

    NOTE: Azure Databases can be connected only using SQL Server authentication.

Import configuration data

IMPORTANT:

During in-place upgrade, when importing from the source database (Configuration and Management History database), the following database permissions are automatically migrated from the previously used (source) SQL database to the new (destination) SQL database:
  • ARS database users with associated permissions.

  • SQL logins mapped to ARS database users.

  • Roles.

The service account that is used for performing the in-place upgrade or the import or migration operation should have the following permissions in the SQL Server to perform the operation:

  • db_datareader fixed database role in the source database.

  • db_owner fixed database role and the default schema of dbo in the destination database.

  • sysadmin fixed server role in the destination database.

By default, the database users, permissions, logins, and roles are imported to the destination database. You can clear the Copy database users, permissions, logins, and roles check box in the following locations depending on the operation:

  • During in-place upgrade: in the Upgrade configuration window.

  • Importing configuration: Import Configuration > Source Database > Configure advanced database properties.

  • Importing management history: Import Management History > Source database > Configure advanced database properties.

NOTE: Depending on the infrastructure, the import operation may take several minutes to complete.

The task of importing configuration data arises when you upgrade the Administration Service. In this case, you need to transfer the Active Roles configuration data from the database used by your Administration Service of the earlier version to the database used by your Administration Service of the new version. To perform this task, click Import configuration on the Administration Service page in the Configuration Center main window, and follow the steps in the Import configuration wizard that appears.

The Import configuration wizard prompts you to specify the Active Roles database from which you want to import the configuration data (source database) and identifies the database of the current Administration Service to which the configuration data will be imported (destination database), letting you choose the connection authentication mode (Windows authentication, SQL Server login or Azure AD login) for each database.

The Add-on advisor page displays all the pre-installed add-ons for the earlier version of Active Roles. These Add-ons must be uninstalled manually from the earlier version using the Active Roles Add-on Manager and from the system where ever applicable, before continuing configuration import.

The Azure Tenant association page displays the lists of configured Azure tenants in the source database and options for association. The Azure Tenant association section notifies you to select an Azure tenant from the drop-down list of Azure tenants configured in the source database, and the selected Azure tenant is associated with all Azure objects in the destination database. You can also choose to Run Azure Tenant association immediately or Schedule Azure Tenant association, where you select the date and time from the Calendar to run the Azure tenant association.

NOTE:

  • If Azure Tenant association is scheduled at a certain time and the upgrade/import operation is still in progress or completes after the Azure Tenant association scheduled time, the tenants are not associated. You have to run the built-in scheduled task Update Azure Objects Associated Tenant Id from the Active Roles console to manually associate the Azure Tenants.
  • Alternatively, Azure Tenant association can be run at any time using the template workflow Update Azure Objects Associated Tenant Id available in the Built-in Workflow Container. The parameter in the script used by the workflow can be configured with the required tenant ID. You can use the drop-down to select a default Azure Tenant from the list of available Azure Tenants. The script used by the workflow can be modified to Search Azure objects based on the requirement.

The Services association page displays options to configure the Administration services for executing Dynamic Groups, Group Families, and Scheduled tasks. You can choose to run the Services association immediately or Schedule Service association.

NOTE: If Services association is scheduled at a certain time and the upgrade/import operation is still in progress or completes after the Services association scheduled time, the services are not associated. You have to run the built-in scheduled task Update Services To ExecuteOn from the Active Roles console to manually associate the Services.

To ensure Dynamic Groups, Group Families, and Scheduled tasks continue to function after an import the installation configures the new Active Roles server as the executing server for the tasks mentioned above. The configuration mentioned in the Services association page runs after an upgrade.

NOTE:

  • Alternatively, Services association can be performed any time using the template workflow Update Services To Execute On available in the built-in Workflow Container. The parameters in the script used by the workflow can be configured to the required administration services, such as, Dynamic Group Service, Group Family Service, Scheduled Task Service. You can select the administration service from the drop-down list. The drop-down list displays all the currently running administration services that are connected to the current configuration database. If the parameter value is not selected, then the current administration service is used.
  • Services association does not update certain scheduled tasks, For example, scheduled tasks that cannot be edited (Managed Object Counter) or scheduled tasks that are set to All servers option.

After successfully uninstalling the add-ons, the wizard performs the import operation. During the import operation, the wizard retrieves and upgrades the data from the source database, and replaces the data in the destination database with the upgraded data from the source database.

For further information and step-by-step instructions, see “Importing configuration data” in the Active Roles Quick Start Guide.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级