立即与支持人员聊天
与支持团队交流

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Deprovision an existing Active Roles user for SaaS products

Active Roles provides the ability to deprovision SaaS product users. When an Active Roles user is deprovisioned, if the user is mapped to Starling Connect, then the user is deprovisioned from the selected connected system. This means the Active Roles SaaS product user is prevented from logging on to the network and connecting to any of the connected systems through the registered connectors.

The Deprovision command on a user updates the account as prescribed by the deprovisioning policies.

Active Roles comes with a default policy to automate some commonly-used deprovisioning tasks, and allows the administrator to configure and apply additional policies.

To deprovision a user for a SaaS product

  1. On the Active Roles Web Interface navigation bar, click Directory Management.

  2. On the Views tab in the Browse pane, click Active Directory.

    The list of Active Directory domains is displayed.

  3. Click the specific domain, Container or the Organizational Unit, and then select the check box corresponding to the specific user, which you want to deprovision for SaaS products

  4. Select the user, and in the Command pane, click Deprovision.

    A message is displayed prompting you to confirm the account deprovision.

  5. Click Yes to continue.

    Wait while Active Roles updates the user.

    After the task is completed, a message is displayed that the account is deprovisioned successfully from Active Roles.

    If the user is mapped to Starling Connect, then the user is deprovisioned from the connected systems.

To undo deprovision of a user for a SaaS product

  1. On the Active Roles Web Interface navigation bar, click Directory Management.

  2. On the Views tab in the Browse pane, click Active Directory.

    The list of Active Directory domains is displayed.

  3. Click the specific domain, Container or the Organizational Unit, and then select the check box corresponding to the specific user, which you want to undo deprovision for SaaS products.

  4. In the Command pane, click Undo Deprovisioning.

    The Password Options dialog is displayed.

  5. Select the option to Leave the Password unchanged or Reset the password, and click OK.

Notifications for Starling operations

The Notification pane displays the notification specific to Starling operations. The notifications are classified into Starling Connect and Updates.

IMPORTANT: Consider the following when configuring notifications for Starling operations:

  • The Web Interface machine must be able to resolve Service machine name for notifications to work.

To view the Starling Connect notification

  1. On the Active Roles Web Interface, click the notification icon.

    Starling Connect and Updates tabs are displayed.

  2. Click the Starling Connect tab to view the notifications specific to SaaS operations.

    NOTE: The latest five notifications are sent only to the initiator of the operation.

To view the Updates

  1. On the Active Roles Web Interface, click the notification icon.

    Starling Connect and Updates tabs are displayed.

  2. Click the Updates tab to view the important updates about Starling.

  3. For more information on the notification, click Read More.

    NOTE: The notifications are sent to all the users who have joined Starling on the Administration website.

To view notifications on the Notifications page

  1. On the Active Roles Web Interface, click the notification icon.

    Starling Connect and Updates tabs are displayed.

  2. Click the Starling Connect tab to view the notifications specific to SaaS operations.

    The latest five notifications are displayed with the configuration status and a brief description.

  3. Click View all notifications to view the details about the notification.

    The Notification page is displayed.

  4. Click Filter drop-down menu to filter the notifications based on time, connector name , status, and keywords.

  5. Select the required notifications and click Export to CSV from the Action drop-down. Click Go. You can also delete a notification by selecting a particular checkbox.

  6. Point the mouse to the notification in the Message column to view a detailed description. Expand the connector information available next to the connector check box to view the detailed description. The description pane gives the link to Change History of that particular object for more details. You can also copy the message in case of a failure.

Configuring notification settings

You can configure notifications settings from the Home screen > Settings page and Home screen > Customization > Global Settings.

To configure notification settings on the Settings page

  1. On the Active Roles Web Interface, click the Settings.

    The Settings page is displayed.

  2. On the Settings page, enter the time in minutes for which the notification is to be visible in Time (in minutes) for which the notification is visible field.

    NOTE: By default, the time is set to 0 and the notifications do not expire. You can update the time to the required limit in minutes.

  3. Enter the number of notifications to be stored in Maximum number of notifications to be stored in Active Roles field.

    NOTE: The maximum number of notifications that can be stored is 1000.

To configure notification settings on the Customization page

  1. On the Active Roles Web Interface, click the Customization.

    The Customization page is displayed.

  2. On the Customization page, click Global Settings.

  3. In the Settings applied for every user of the Web Interface by default section, enter the time in minutes for which the notification is to be visible in Time (in minutes) for which the notification is visible field.

    NOTE: By default, the time is set to 0 and the notifications do not expire. You can update the time to the required limit in minutes.

  4. Enter the number of notifications to be stored in Maximum number of notifications to be stored in Active Roles field.

    NOTE: The maximum number of notifications that can be stored is 1000.

IMPORTANT: For notifications to work as expected, you must perform the following, if you are using Active Roles website over HTTPS:

  • Import a valid certificate into Trusted Root Certificate Authority in the machine where Active Roles Service is installed.

  • In the below command, substitute thumbprint of the newly added certificate to CERT_HASH.

  • In the below command, substitute a Unique GUID to APP_ID.

  • Run the command below in PowerShell command interface:

    netsh http add sslcert ipport=0.0.0.0:7466 appid='{APP_ID}' certhash=<CERT_HASH>.

SCIM attribute mapping with Active Directory

Active Roles provides support to connect to Starling Connect to manage the user provisioning and deprovisioning activities for the registered connectors. This is achieved through the internal attribute mapping mechanism. The AD attributes are mapped to SCIM attributes to perform each operation.

Table 97: SCIM attribute mapping with Active Directory for Users
SCIM Active Directory

displayName

displayName

givenName

givenName

familyName

sn

middleName

middleName

title

title

password

edsaPassword

streetAddress

streetAddress

locality

city

postalCode

postalCode

region

state

country

c

active

edsaAccountIsDisabled

userName

edsvauserName

honorificPrefix

initials

formattedName

cn

emails

proxyAddresses,mail

preferredLanguage

preferredLanguage

description

description

emailEncoding

edsvaemailEncoding

alias

edsvaalias

division

division

company

company

department

department

homePage

wWWHomePage

lastLogon

lastLogon

accountExpires

accountExpires

timezone

edsvatimezone

entitlements

edsvaentitlements

employeeNumber

employeeNumber

cn

cn

userPermissionsMarketingUser

edsvauserPermissionsMarketingUser

userPermissionsOfflineUser

edsvauserPermissionsOfflineUser

userPermissionsAvantgoUser

edsvauserPermissionsAvantgoUser

userPermissionsCallCenterAutoLogin

edsvauserPermissionsCallCenterAutoLogin

userPermissionsMobileUser

edsvauserPermissionsMobileUser

userPermissionsSFContentUser

edsvauserPermissionsSFContentUser

userPermissionsKnowledgeUser

edsvauserPermissionsKnowledgeUser

userPermissionsInteractionUser

edsvauserPermissionsInteractionUser

userPermissionsSupportUser

edsvauserPermissionsSupportUser

userPermissionsLiveAgentUser

edsvauserPermissionsLiveAgentUser

locale

localeID

phoneNumbers

telephoneNumber,mobile,homePhone

manager

manager

desiredDeliveryMediums

edsvadesiredDeliveryMediums

nickname

edsvanickname

Table 98: SCIM attribute mapping with Active Directory for Groups

SCIM

Active Directory

displayName

cn

members

member

email

mail

manager

managedBy

Configuring linked mailboxes with Exchange Resource Forest Management

The Exchange Resource Forest Management (ERFM) feature of Active Roles allows you to automate mailbox provisioning for on-premises users in environments where the mailboxes and the user accounts are managed in different Active Directory (AD) forests. Such multi-forest environments are based on the resource forest model, and mailboxes provisioned in such environments are called linked mailboxes.

Multi-forest AD deployments have higher administrative and support costs. However, they offer the highest level of security isolation between AD objects and the Exchange service. As such, One Identity recommends configuring the resource forest model for use with Active Roles in organizations that:

  • Aim for an extra layer of data security.

  • Frequently experience organizational changes (for example, buying companies, or consolidating and breaking off branch companies, departments and other business units).

  • Abide by certain legal or regulatory requirements.

AD deployments following the resource forest model use two types of AD forests:

  • Account forests: These AD forests store the user objects. Organizations can use one or more account forests in the resource forest model.

  • Resource forest: This AD forest contains the Exchange server and stores the mailboxes of the user objects.

For more details on ERFM, see Exchange Resource Forest Management in the Active Roles Feature Guide.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级