Active Roles enforces policies by applying Policy Objects to promote data integrity throughout the directory. This is done by generating and validating the data entered into the directory. Each Policy Object is basically a container that holds one or more policy entries (also referred to as policies).
There are several types of policy entries that can be configured within a Policy Object. The two major ones are Property Generation and Validation, and Script Execution. Property Generation and Validation policy entries provide a point-and-click interface for creating basic rules for attribute population. Script Execution policy entries enable the use of scripting for a broad range of custom actions that could supplement, extend, or replace the policy types included with Active Roles out of the box.
Just as with Group Policy Objects in Active Directory, the location that Active Roles’ Policy Objects are linked to is critical:
-
Any policies that are intended to affect the entire domain should be included into a Policy Object linked at the domain level. If needed, filtering can be used to exclude specific objects or containers (Organizational Units) from being processed by these policies.
-
If more than one object or containers needs to be excluded from the effect of a domain-wide policy, it is best to include those objects or containers explicitly into a Managed Unit and then apply policy filtering to that Managed Unit by using the Block Inheritance option.
From here, the best way to apply policies is at the top level of the directory tree they will affect. Usually, however policies are only needed to affect certain Organizational Units within the tree. In this case, a Managed Unit is the most effective way to apply the policies. Include the desired Organizational Units explicitly into a Managed Unit, and then link the Policy Object to that Managed Unit.
A policy consists of three major components. These are:
-
A policy entry that defines the policy
-
A Policy Object containing that policy entry
-
A Policy Object link that determines where the policy is applied in the directory
Typically, a single Policy Object includes all the entries for a specific set of policies. It is not efficient to create one entry per Policy Object since this defeats the purpose of having separation between the Policy Object and policy entries.
A policy cannot be filtered for specific sets of administrators. Once applied to a given object or container, a policy will be in effect for every administrator under every condition. This is unless a Script Execution policy is included as a policy entry that utilizes the IEDSEffectivePolicyRequest interface to override the policies determined by other policy entries. This interface is documented in Active Roles SDK.
Script Execution polices are policy entries that utilize scripts written in a scripting language such as Microsoft Windows PowerShell or VBScript. Policy scripts use event handles that are executed before or after every action that can happen in the directory. See the following table for a list of these handlers.
Name |
Description |
onPreCreate |
In a script policy applied to a container; receives control upon a request to create an object in that container. This enables a script to perform custom actions prior to creating an object. |
onPostCreate |
In a script policy applied to a container; receives control after a request to create an object in that container is completed. This enables a script to perform custom actions further to creating an object. |
onPreDelete |
Receives control upon a request to delete an object. Enables a script to perform custom actions prior to deleting an object. |
onPostDelete |
Receives control after a request to delete an object is completed. Enables a script to perform custom actions further to deleting an object. |
onPreModify |
Receives control upon a request to start changing object properties. Enables a script to perform custom actions prior to applying changes to an object. |
onPostModify |
Receives control after a request to change object properties is completed. Enables a script to perform custom action further to changing an object's property values. |
onPreMove |
In a script policy applied to a container, this function receives control upon a request to start moving an object from that container. This enables a script to perform custom actions prior to moving an object. |
onPostMove |
In a script policy applied to a container, this function receives control after a request to move an object to that container is completed. This enables a script to perform custom actions further to moving an object. |
onPreRename |
Receives control upon a request to start renaming an object. Enables a script to perform custom actions prior to renaming an object. |
onPostRename |
Receives control after a request to rename an object is completed. Enables a script to perform custom actions further to renaming an object. |
onPreGet |
Receives control upon a request to retrieve object properties. Enables a script to perform custom actions prior to starting the retrieval of an object's property values. |
onPostGet |
Receives control after a request to retrieve object properties is completed. Enables a script to perform custom actions following the retrieval of an object's property values. |
onPreSearch |
Receives control upon a request to start a search. Enables a script to perform custom actions prior to starting a search. |
onPreDeprovision |
Receives control upon a request to execute the Deprovision operation. Enables a script to perform custom actions prior to starting the operation. |
onDeprovision |
Receives control in the course of processing a request to execute the Deprovision operation. Enables the use of a script for customizing the behavior of the operation. |
onPostDeprovision |
Receives control after a request to execute the Deprovision operation is completed. Enables a script to perform custom actions following the operation. |
onPreUnDeprovision |
Receives control upon a request to execute the Undo Deprovisioning operation. Enables a script to perform custom actions prior to starting the operation. |
onUnDeprovision |
Receives control in the course of processing a request to execute the Undo Deprovisioning operation. Enables the use of a script for customizing the behavior of the operation. |
onPostUnDeprovision |
Receives control after a request to execute the Undo Deprovisioning operation is completed. Enables a script to perform custom actions following the operation. |
onPreUnDelete |
Receives control upon a request to execute the Undelete operation. Enables a script to perform custom actions prior to starting the operation. |
onPostUnDelete |
Receives control after a request to execute the Undelete operation is completed. Enables a script to perform custom actions following the operation. |
onCheckPropertyValues |
Receives control upon a request to verify and validate the changes that are going to be made to an object. Enables a script to perform custom actions further to normal validity checks on an object. |
onGetEffectivePolicy |
Receives control upon a request to retrieve the policy settings that are in effect on a particular object (such as policy constraints on property values). Enables a script to perform custom actions further to retrieval of policy settings. |
onInit |
Receives control when the Administration Service retrieves the definition of the script parameters, enabling the script to manifest the name and other characteristics of each parameter. |
onFilter |
Boolean-valued function that is evaluated during execution of the onPreSearch event handler, allowing search results to be filtered based on properties of objects returned by the search. For details, see IEDSRequestParameters Properties in the Active Roles SDK documentation. |
Basically, when an action happens, Active Roles looks to see if there are any Policy Objects applied that hold Script Execution policies. If so, the policy script is checked to see if it has an event handler for the specific action being performed. The object being acted upon is passed into the event handler for further actions. These event handlers are normally run in the security context of the service account, so even if a user does not have rights to perform the actions outlined in the policy script, it will still execute correctly. If any errors occur during the execution of a policy script, the errors can be found in the Active Roles event log for post-action handlers and are displayed to the client for pre-action handlers.
Policy scripts are typically written in a scripting language such as Windows PowerShell or VBScript. Many examples of scripts based on Windows PowerShell and VBScript, along with instructions on how to use the Active Roles ADSI Provider both for policy scripts and for standalone scripts, can be found in the Active Roles SDK documentation.
It is also important to note that policy scripts can pick up and take action upon directory changes made natively, as well. To turn on this behavior, you should choose the option that directs in the policy script to handle directory changes reported by the directory synchronization function (select the Handle changes from DirSync control check box on the Script Module tab in the Properties dialog for the policy entry), and use the IEDSRequestParameters interface in a post-action event handler. More on this topic can be found in the Active Roles SDK documentation.