立即与支持人员聊天
与支持团队交流

Identity Manager 9.1.1 - Administration Guide for Active Roles Integration

One Identity Active Roles integration Synchronizing Active Directory using One Identity Active Roles Interaction with Active Roles workflows Interaction with Active Roles policies Managing Active Directory objects Configuration parameters for managing an Active Directory environment Default project template for One Identity Active Roles Active Roles connector settings

Active Roles specific extensions for Active Directory groups

Additional Active Directory group main data is mapped for Active Roles. For more information about managing Active Directory groups in One Identity Manager, see the One Identity Manager Administration Guide for Connecting to Active Directory.

To display Active Roles group data ascertained from Active Directory

  1. In the Manager, select the Active Directory > Groups category.

  2. Select the group in the result list.

  3. Select the Change main data task.

  4. Select the Active Roles tab.

The following properties are displayed:

Table 8: Active Roles specific properties of an Active Directory group
Property Description

Group is published to Self-Service Manager

If an Active Directory group is published, the Active Directory group can be requested in the Web Portal immediately after successful synchronization. The data is loaded from Active Roles on synchronization. This information is published when an Active Directory group is added through the Web Portal in order to start other workflows in Active Roles if necessary.

Approval by the group owner

Specifies whether the Active Directory group owner (account manager) must approve group membership. The information affects the approval workflow in the IT Shop.

Approval by a additional owner of the group

Specifies whether the additional Active Directory group owner must approve group membership. The information affects the approval workflow in the IT Shop.

Dynamic group

Specifies whether members in this group are determined dynamically in Active Roles. Manual changes to memberships are not permitted.

Controlled group

Specifies whether the group is controlled by Active Roles. The group belongs to a Group Family in Active Roles. Memberships are regulated by the target system. Manual changes to memberships are not permitted.

Group Family

Specifies whether this group represents a Group Family in Active Roles. Group Family automatically creates groups and manages memberships in accordance with configurable rules in Active Roles. Manual changes to memberships are not permitted.

Additional owners

List of additional owners Active Directory groups or Active Directory user accounts are permitted.

Deprovisioning status

Status of deprovisioning sequence through Active Roles when an object is deleted. The data is loaded from Active Roles on synchronization.

  • No deprovisioning: The Active Directory object is active.

  • Deprovisioning successful: The Active Directory object was successfully deprovisioned.

  • Deprovisioning failed: An error occurred while deprovisioning the Active Directory object.

Deprovisioning date

Status of deprovisioning sequence through an Active Roles when a object is deleted. The information is loaded from the Active Roles during synchronization.

Related topics

Deprovisioning Active Directory user account and Active Directory groups

One Identity Manager supports deprovisioning through Active Roles. Based on deprovisioning policies configured in Active Roles, an Active Directory object is modified such that it is temporarily or permanently disabled and possibly is not deleted until a certain time period has expired. For more information about Active Roles deprovisioning, see your One Identity Active Roles documentation.

NOTE: The deprovisioning policy configuration in Active Roles may conflict with the default One Identity Manager configuration. In this case, make any appropriate adjustments to templates or processes, for example.

The following procedures are implemented for deprovisioning Active Directory user accounts and Active Directory groups with One Identity Manager:

  • Deprovisioning not deletion

  • Quick deprovisioning

Detailed information about this topic

Deprovisioning not deletion

To implement this method

  • In the Manager, on the Active Directory domain, set the User accounts deleted by Active Roles workflows and Groups deleted by Active Roles workflows options.

If an Active Directory user account or an Active Directory group is deleted in One Identity Manager, a deprovisioning process is generated in Active Roles instead of the default deletion process. This process queues the Active Directory object for deprovisioning in Active Roles, sets a deprovisioned status, and checks the deprovisioning sequence. Active Directory objects continue to be processed in One Identity Manager depending this.

  • If the Active Directory object was deleted immediately in Active Roles, the Active Directory object is also deleted in One Identity Manager.

  • If the Active Directory object in Active Roles was renamed or moved to another Active Directory container, this is done in One Identity Manager as well.

    The Active Directory object remains in the One Identity Manager database with the status deleted.

NOTE: Active Directory user accounts and Active Directory groups that have the Protected from accidental deletion option set cannot be moved or deleted.

To delete a user account

  1. In the Manager, select the Active Directory > User accounts category.

  2. Select the user account in the result list.

  3. Click in the result list.

  4. Confirm the security prompt with Yes.

To delete an Active Directory group

  1. In the Manager, select the Active Directory > Groups category.

  2. Select the group in the result list.

  3. Click in the result list.

  4. Confirm the security prompt with Yes.
Related topics

Quick deprovisioning

You can apply this method if the Active Directory domain is not marked for deprovisioning. The Deprovision task is provided on these objects for the deprovisioning of individual Active Directory user accounts or Active Directory groups.

A deprovisioning process is generated in Active Roles. This process queues the Active Directory object for deprovisioning in Active Roles, sets a deprovisioned status, and checks the deprovisioning sequence. Active Directory objects continue to be processed in One Identity Manager depending this.

  • If the Active Directory object was deleted immediately in Active Roles, the Active Directory object is also deleted in One Identity Manager.

  • If the Active Directory object in Active Roles was renamed or moved to another Active Directory container, this is done in One Identity Manager as well.

    The Active Directory object remains in the One Identity Manager database with the status changed. All the Active Directory object properties are loaded in the One Identity Manager database by the next synchronization and set to published.

NOTE: Active Directory user accounts and Active Directory groups that have the Protected from accidental deletion option set cannot be moved or deleted.

To deprovision an Active Directory user account

  1. In the Manager, select the Active Directory > User accounts category.

  2. Select the user account in the result list.

  3. Select the Deprovision task.

  4. Confirm the security prompt with Yes.
  5. Confirm with OK.

To deprovision an Active Directory group

  1. In the Manager, select the Active Directory > Groups category.

  2. Select the group in the result list.

  3. Select the Deprovision task.

  4. Confirm the security prompt with Yes.
  5. Confirm with OK.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级