ActiveRoles Web Interface User's Guide
Uploaded by
thomasclmActiveRoles Web Interface User's Guide
Uploaded by
thomasclmOne Identity Active Roles
Web Interface User Guide
Copyright 2021 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity does not make any commitment to update the information
contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend
WARNING: A WARNING icon highlights a potential risk of bodily injury or property
damage, for which industry-standard safety precautions are advised. This icon is
often associated with electrical hazards related to hardware.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if
instructions are not followed.
Active Roles Web Interface User Guide
Updated - August 2021
Version - 7.4.5
Contents
Getting Started 5
Configuring the Web browser 5
Configuring Google Chrome 6
Configuring Mozilla Firefox 6
Connecting to the Web Interface 7
Changing personal settings 7
Logging out of the Web Interface 8
Web Interface Basics 9
Administrative tasks overview 9
Directory Management 10
Search 10
Approval 10
Settings 11
Customization 11
User interface overview 12
Navigation bar 12
Browse pane 13
List of objects 13
Toolbar 13
Current container 14
Command pane 14
Summary pane 14
Notification and Feedback 14
Object property pages 15
Managing the list of objects 16
Sorting and filtering the list of objects 16
Adding or removing columns from the list of objects 17
Locating directory objects 17
Searching for directory objects 17
Example: Searching by object type 18
Filtering the contents of a container 19
Active Roles 7.4.5 Web Interface User Guide
3
Example: Filtering by object type 19
Using personal views 20
Creating a personal view 20
Changing a personal view 21
Performing Management Tasks 22
Managing your personal account 22
Managing Active Directory objects 23
Batch operations 24
Example 1: Enabling a user account 25
Example 2: Adding a user to a group 25
Running an automation workflow 25
Managing temporal group memberships 27
Adding temporal members 27
Viewing temporal members 28
Rescheduling temporal group memberships 28
Removing temporal members 29
Managing AD LDS data 30
Managing computer resources 31
Restoring deleted objects 32
Locating deleted objects 32
Searching the Deleted Objects container 32
Locating objects deleted from a certain OU or MU 33
Restoring a deleted object 33
Using Approval Workflow 35
Understanding approval workflow 35
Locating approval items 36
Using “My Tasks” 37
Pending tasks 37
Completed tasks 39
Using “My Operations” 40
About us 42
Contacting us 42
Technical support resources 42
Active Roles 7.4.5 Web Interface User Guide
4
Getting Started
Active Roles (formerly known as ActiveRoles®) offers a convenient, easy-to-use,
customizable Web Interface that enables authorized users to perform day-to-day
administrative tasks, including user management tasks such as modifying personal data or
adding users to groups. Via the Web Interface, an intranet user can connect to Active Roles
using a Web browser. A user sees only the commands, directory objects, and object
properties to which the user’s role provides administrative access.
By default, the Web Interface includes three different sites—the site for Administrators, the
site for Help Desk, and the site for self-administration. The site for Administrators supports
a rich variety of administrative tasks, while the site for Help Desk supports a simplified set
of tasks to expedite the resolution of trouble tickets. The site for self-administration is
indented for managing personal accounts.
The Web Interface also allows setting the user interface language according to your
preferences. The language setting has effect on all menus, commands, and forms that
come with the Web Interface, as well as the tool tips and help. Thus, users can work with
the Web Interface in their own language.
The Web Interface delivers a reliable, comprehensive solution for users who have
administrative access to Active Roles to modify commands that the Web Interface provides
for without writing a single line of code, and enables such users to add and remove
commands on menus, and modify command pages by adding and removing fields that
display property values. For information on how to customize the Web interface, refer to
the Active Roles Web Interface Administration Guide.
The Active Roles Web Interface User Guide is for individuals who are responsible for
performing day-to-day administrative tasks. This document provides a brief overview of
the Web Interface, and includes step-by-step instructions on how to perform
administrative tasks.
The following topics describe the procedures for connecting to the Web Interface. First,
configure your Web browser to display the Web Interface pages properly. Then, connect to
the Web Interface. Finally, you may specify personal settings for the Web Interface.
l Configuring the Web browser
l Connecting to the Web Interface
l Changing personal settings
l Logging out of the Web Interface
Configuring the Web browser
There are several different Web browsers that you can use to access the Active Roles Web
Interface. No matter which browser you use, it must have JavaScript and cookies enabled.
Active Roles 7.4.5 Web Interface User Guide
5
Getting Started
JavaScript is a programming language for making Web pages interactive. Cookies are
small files stored on your computer that contain information about the Web Interface.
For instructions on how to enable JavaScript and cookies in your browser, see the
following topics.
l Configuring Google Chrome
l Configuring Mozilla Firefox
Configuring Google Chrome
To access the Active Roles Web Interface, Google Chrome must have JavaScript and
cookies enabled.
To enable JavaScript and cookies in Google Chrome
1. Click the Chrome menu button on the browser toolbar, and then click Settings.
2. On the Settings page, click Show advanced settings, and then click the Content
settings button in the Privacy section.
3. In the Content settings dialog box, do the following:
a. Make sure that the Allow local data to be set option is selected
under Cookies.
b. Make sure that the Allow all sites to run JavaScript option is selected
under JavaScript.
c. When finished, click Done.
Configuring Mozilla Firefox
To access the Active Roles Web Interface, Firefox must have cookies enabled. You don’t
need to worry about JavaScript as this option is normally enabled and, beginning with
Firefox 23, cannot be disabled or re-enabled by using the Options dialog box.
To enable cookies in Mozilla Firefox
1. Click Options on the Tools menu.
2. In the Options dialog box, do the following:
a. Click the Privacy button at the top of the dialog box.
b. Make sure that the Remember history option is selected in the History area.
c. When finished, click OK.
Active Roles 7.4.5 Web Interface User Guide
6
Getting Started
Connecting to the Web Interface
To connect to the Web Interface, you need to know the name of the Web server running the
Web Interface and the name of the Web Interface site you want to access. The default site
names are as follows:
l ARWebAdmin Site for administrators; supports a broad range of
administrative tasks
l ARWebHelpDesk Site for Help Desk; supports the most common
administrative tasks
l ARWebSelfService Site for self-administration; enables end users to manage their
personal accounts
To connect to the Web Interface
l In the address box of your Web browser, type the address of the Web Interface site,
and then press Enter.
For example, to connect to the default site for administrators, you might type
http://server/ARWebAdmin where server stands for the name of the Web server
running the Web Interface.
Changing personal settings
When using the Web Interface, you can specify the following personal settings:
l User interface language The language of the Web Interface pages. This setting
affects all menus, commands, and forms of the Web Interface, as well as tool tips
and help, allowing the user to view the Web Interface pages in the selected language.
l Maximum number of objects to display in search results Determines the
maximum number of objects displayed in single-page lists, such as lists of search
results or lists that show contents of containers.
l Use this setting cautiously because displaying a large number of objects may
adversely affect performance of your Web browser. Instead of displaying all objects,
it would be advisable to use searching and filtering to find the objects you need.
l Number of items to display per page in paged lists Determines the maximum
number of list items displayed on a single page in multi-page lists. Affects only the
lists, such as lists of approval tasks, that are divided into pages, causing each page
to display no more items than specified by this setting.
Use this setting cautiously. If you specify a small number, you will need to page
through list items. However, specifying an unreasonably large number may result in
poor performance of the list view.
l Number of page links to display for paged lists Determines the maximum
number of links to pages displayed for multi-page lists. Affects only the lists, such as
Active Roles 7.4.5 Web Interface User Guide
7
Getting Started
lists of approval tasks, that are divided into pages, allowing the user to page through
list items by clicking page numbers beneath the list. This setting specifies how many
page numbers are to be shown and the duration of the Web Interface notification.
Active Roles saves these settings on a per-user basis in the configuration of the Web
Interface site. Once saved, the personal settings take effect regardless of which computer
is used to access the Web Interface. The user can have different personal settings for
different Web Interface sites.
To change personal settings
1. Click the Settings (gear) icon in the upper right corner of the Web Interface window.
2. Configure the settings as needed.
3. Click Save for the changes to take effect.
Logging out of the Web Interface
Logging out of the Web Interface can save Web Interface users from harmful security
breaches. Users should log out of the Web Interface when their work is completed.
To log out of the Web Interface
l Click the name of the current Web Interface user in the top right corner of the Web
Interface window, and then click Log out.
The Log out command closes the current Web Interface session and deletes all the
session-related data from the local computer.
Not logging out may pose a security risk (for example, if the user accesses the Web
Interface from a public computer). In such a case, the Web Interface can forcibly
terminate the session due to user inactivity.
The Web Interface provides an inactivity timeout, ensuring that the session is not
terminate unexpectedly. The administrator can specify the amount of continuous idle time
that must pass in a Web Interface session before a message box pops up to prompt the
user for an action. If the user does not respond to the prompt, the session is forcibly
terminated after an additional grace period.
Active Roles 7.4.5 Web Interface User Guide
8
Getting Started
Web Interface Basics
l Administrative tasks overview
l User interface overview
l Managing the list of objects
l Locating directory objects
l Using personal views
Administrative tasks overview
The Web Interface home page displays categories of administrative tasks supported by the
Web Interface. The same categories are displayed along the vertical strip on the left side of
the Web Interface window, referred to as Navigation bar. Click icons on the Navigation bar
to perform the following tasks:
l Directory Management Browse for, and manage, directory objects, such as users
and groups. You can navigate through containers in the directory; view, filter and
select objects held in the container; and apply commands to the selected object
or container.
l Search Search for, and manage, directory objects. You can select containers in the
directory, and specify search criteria. The Web Interface searches in the selected
containers and all of their subcontainers, and lists the objects that match your search
criteria, allowing you to apply commands to objects in the list.
l Approval Perform the tasks related to approval of administrative operations.
The scope of your responsibilities depends upon your role in the approval
workflow processes.
l Settings Set up your personal settings that control the display of the Web
Interface pages.
l Customization Add, remove, or modify user interface elements, such as menu items
(commands) and pages (forms), intended to manage directory objects. This task
requires the rights of Active Roles Admin.
NOTE:
l For more information on extending the Active Roles provisioning and account
administration capabilities to your cloud applications, click the supported
connectors in the What's New section from the Active Roles 7.4 drop-down list.
l On the title bar of the Active Roles Web Interface, click Feedback to provide a
product feedback. You are redirected to a new browser that allows you to provide
the feedback.
Active Roles 7.4.5 Web Interface User Guide
9
Web Interface Basics
l For Admin site, by default, the feedback option is available.
l For HelpDesk site, navigate to Customization | Global Settings and check the
Enable user feedback link check-box to enable the feedback option.
l The feedback option is not available for SelfService site.
Directory Management
Directory Management allows you to browse for, and administer, directory objects in
your organization. Your Active Roles permissions determine which tasks you can perform.
Directory Management provides the following views:
l Active Directory Lists Active Directory domains managed by Active Roles,
allowing you to navigate through containers in those domains. You can view, filter
and select objects held in the container, and apply commands to the selected object
or container.
l Managed Units Lists Managed Units defined in Active Roles, allowing you to view
objects, and navigate through containers, held in Managed Units. You can filter and
select objects, and apply commands to the selected object or container.
For information on how to administer Active Directory objects, see Managing Active
Directory objects later in this document.
Search
Search provides a flexible, query-based mechanism that helps locate directory objects
quickly and without browsing through the directory tree. You can select containers in the
directory, and build a query by specifying search criteria. The Web Interface searches in
the selected containers and all of their subcontainers, and lists the objects that match your
search criteria. When the objects you target are returned as the results of a search query,
you can then perform the necessary administrative tasks.
You can also save the queries that you build and use them again at a later time. The Web
Interface saves queries as your personal views, with each view consisting of the containers
and search criteria that you select, as well as the customized sorting and column
information that you specify.
For instructions on how to perform a search, see Searching for directory objects later in
this document.
Approval
Approval provides you with the tools for performing tasks related to approval workflow.
You can use these tools to complete approval tasks assigned to you as an Approver, and to
Active Roles 7.4.5 Web Interface User Guide
10
Web Interface Basics
monitor the status of the operations that you initiated, if those require approval.
For details on how to perform approval tasks, see Using Approval Workflow later in
this document.
Settings
By using Settings, you can specify:
l The language of the Web Interface pages
l The maximum number of objects displayed in single-page lists
l The maximum number of list items displayed on a single page in multi-page lists
l The maximum number of links to pages displayed for multi-page lists
l Maximum time in minutes, for which the notification is to be visible
l Maximum number of notifications to be stored in Active Roles
The settings are saved on a per-user basis in the configuration of the Web Interface site.
For more information, see Changing personal settings earlier in this document.
Customization
Customization allows you to tailor the Web Interface to suit the specific needs of your
organization. The Customization item is only displayed if you are logged on as Active
Roles Admin. The Active Roles Admin account is specified upon configuration of the Active
Roles Administration Service.
Customization includes the following tasks:
l Directory Objects Modify menus, commands, and forms for administering
directory objects. View or change global settings, such as the logo image and
color scheme.
l Restore Default Restore the original (default) menus, commands, and forms,
discarding all previous customizations.
l Reload Put into effect the menus, commands, and forms that you have customized.
The customization settings determine the configuration of the Web Interface site for
all users.
For more information and instructions on how to customize the Web Interface, see
“Customizing the Web Interface” in the Active Roles Web Interface Administration Guide.
Active Roles 7.4.5 Web Interface User Guide
11
Web Interface Basics
User interface overview
The section describes the user interface elements that are common across the Web
Interface.
Navigation bar
Located on the left side of the page, the Navigation bar provides the first level of navigation
for most of the tasks you can perform in the Web Interface. The Navigation bar is
organized by Web Interface areas, and includes the following items:
l Home Go to the Web Interface home page.
l Directory Management Browse for, and administer, directory objects in your
organization.
l Search Search for, and administer, directory objects in your organization.
l Customization Customize Web Interface pages. Available to Active Roles
Admin only.
l Approval Perform the tasks relating to approval of administrative operations.
l Settings View or change your personal settings that control the display of the
Web Interface.
l Help Find Help topics and other helpful resources for the Web Interface.
Active Roles 7.4.5 Web Interface User Guide
12
Web Interface Basics
For more information about functions of the Navigation Bar, see Administrative tasks
overview earlier in this document.
Browse pane
Located next to the Navigation bar, the Browse pane lists the built-in views and personal
views, and allows you to access the tree view:
l Built-in views provide entry points to browsing for objects in the directory. Personal
views are filter or search queries you build and save to use them again at a later
time. To see built-in views and personal views, click the Views tab at the top of the
Browse Pane.
l The tree view helps you browse for directory objects by using the directory tree to
navigate through the hierarchical structure of containers. To see the tree view, click
the Tree tab at the top of the Browse Pane.
List of objects
When you select a container or view in the Browse pane, you’ll see a list of objects. If you
select a container, the list includes the objects held in that container. If you select a view,
the list includes the objects that match the view settings. It is also possible to customize
the list by sorting and filtering, and by adding or removing list columns.
You can select objects from the list and apply commands to the selected object or objects.
When you click the name of a container object, such as a domain or an organizational unit,
the list changes to display the objects held in that container, thereby enabling you to
browse through containers in the directory.
Toolbar
The Toolbar contains a number of controls allowing you to manage the current list
of objects:
l Click the Menu button on the left side of the Toolbar to save the current list as a
personal view, add or remove list columns, or export the list to a text file.
l Type in the Filter field and then click the button next to that field to have the list
include only those objects whose naming properties match what you typed.
l Click the Expand/Collapse button on the right side of the Toolbar to configure filtering
criteria based on object properties. To have the list include only the objects that
match your filtering criteria, click the button next to the Filter field.
Active Roles 7.4.5 Web Interface User Guide
13
Web Interface Basics
Current container
The area above the Toolbar displays the name of the current container—the container that
holds the objects shown in the list, and identifies the hierarchical path to the current
container in the directory. Click the name of a container in the path to view a list of objects
held in that container.
Command pane
Located to the right of the list of objects, the Command pane provides commands you
can apply to objects you select from the list as well as commands you can apply to the
current container:
l If no objects are selected in the list, the menu includes only the commands that apply
to the current container. These commands are grouped under a heading that shows
the name of the current container.
l If a single object is selected in the list, the commands that apply to the selected
object are added in the top of the menu, under a heading that shows the name of the
selected object.
l If multiple objects are selected from the list, the commands that apply to all of the
selected objects are added in the top of the menu, under a heading that shows the
number of the selected objects.
Summary pane
When you select an object from the list, information about that object is displayed in the
Summary pane under the list of objects. The information includes some commonly used
properties of the object, and depends upon the object type. For example, user properties
provide more detailed information about a user account, such as the logon name, e-mail
address, description, job title, department, expiration date, and the date and time that the
account was last changed. If you don’t see the Summary pane, click in the area beneath
the list of objects.
Notification and Feedback
On the upper right corner, you can view the Feedback option, Active Roles drop-down
menu, and a Notification icon.
l Feedback option: Allows you to provide product feedback.
l Active Roles drop-down menu: Allows you to know more about the new features in
Active Roles 7.4.5 Web Interface User Guide
14
Web Interface Basics
the current version, access online-help, and configure settings.
l Notification icon: Allows you to view the notifications.
Object property pages
Property pages are used in the Web Interface to modify directory objects. The following
figure gives an example of the property page that appears when you select a user account
from the list of objects and click General Properties in the Command pane.
Figure 1: Object Property page
The property page consists of several tabs. Each tab provides a number of data entries
allowing you to view or change certain properties of the directory object. Click a tab to
access the data entries on that tab. To apply the changes you have made in the data
entries, click the Save button.
Active Roles Admin can use the Customize link in the upper right corner of the page to add
or remove data entries or entire tabs from the property page. The Customize link is not
displayed unless you are logged on as a member of the Active Roles Admin account, which
specified in the configuration settings of the Active Roles Administration Service.
Active Roles 7.4.5 Web Interface User Guide
15
Web Interface Basics
Managing the list of objects
The list of objects in the Web Interface has a number of features that help you locate the
objects you target. Thus, you can sort objects in a list and apply a filter to a list. You can
also add or remove list columns.
Sorting and filtering the list of objects
The Web Interface allows you to set a sort order and apply a filter in the list of objects.
To sort the list of objects by name
l Click the Name column heading once or twice to sort the list by object name
in ascending or descending order. An arrow in the column heading indicates
the sort order.
You can also sort the list by other columns. Click a column heading to change the sort
order. For instructions on how to add or remove columns, see Adding or removing columns
from the list of objects later in this document.
To filter the list of objects
l To filter the list by naming properties, type in the Filter field on the Toolbar and then
press Enter or click the button next to the Filter field. As a result, the list includes
only the objects whose naming properties match what you typed. The naming
properties include name, first name, last name, display name, and logon name.
l To filter the list by other properties, click the button on the right side of the Toolbar
to expand the Toolbar, click Add criteria, choose the properties by which you want
to filter, click Add, and then configure the criteria as appropriate. When finished,
press Enter or click the button next to the Filter field on the Toolbar. As a result, the
list includes only the objects that match the criteria you configured.
After you have applied a filter, the list includes only the objects that match the filter. For
example, you can type a few characters in the Filter field on the Toolbar and then press
Enter to view only the objects whose name starts with the characters you typed.
To remove the filter and restore the original list of objects
l If you did not add criteria, clear the Filter field on the Toolbar and then press Enter;
otherwise, expand the Toolbar, click Clear all, and then press Enter.
Active Roles 7.4.5 Web Interface User Guide
16
Web Interface Basics
Adding or removing columns from the list
of objects
You can customize the list of objects by adding or removing list columns. Each column
is intended to display a certain property of objects in the list, and can be used to set
a sort order.
To add or remove list columns
1. Click the Menu button on the left side of the Toolbar, and then click Choose
columns.
2. To add a column for a certain property, click the name of the property in the Hidden
columns list and then click the right arrow button to move the property to the
Displayed columns list.
3. To remove a column for a certain property, click the name of the property in the
Displayed columns list and then click the left arrow button to move the property to
the Hidden columns list.
You can reorder list columns by moving list items up and down in the Displayed columns
list: Click the name of the property in the list and then click the up arrow button or the
down arrow button next to the list.
Locating directory objects
The Web Interface provides search and filtering tools to help you locate directory objects
quickly and easily. By creating and applying an appropriate search or filter query, you can
build shorter lists of objects, which makes it easier to select the objects needed to
accomplish your administrative tasks.
You can also save search and filter queries as your personal views, and use them again at a
later time. Each view saves the following settings that you specify: the container to search
or filter; the search or filtering criteria; the set of columns and the sort order in the list of
search or filtering results.
Searching for directory objects
To search for directory objects, you can use the Search page that allows you to select the
container to search and specify criteria for the objects you want to find. The Web Interface
searches in the container you select and in all of its subcontainers.
The Web Interface opens the Search page when you do any of the following:
Active Roles 7.4.5 Web Interface User Guide
17
Web Interface Basics
l Type in the Search field located in the upper right corner of the Web Interface
window, and then press Enter or click the magnifying glass icon in the Search field.
In this case, the Web Interface searches all managed Active Directory domains for
objects whose naming properties match what you typed and the Search page lists
the search results. The naming properties include name, first name, last name,
display name, and logon name.
l Click Search on the Navigation bar. The Search page opens, allowing you to
configure and start a search.
To configure and start a search
1. Click the Search in box on the Toolbar, and then select the container that you want
to search. You can select more than one container.
The Web Interface will search in the selected container and all of its subcontainers.
2. Specify criteria for the objects that you want to find:
l To search by naming properties, type in the Search field on the Toolbar. The
Web Interface will search for objects whose naming properties match what you
typed. The naming properties include name, first name, last name, display
name, and logon name.
l To search by other properties, click the button on the right side of the Toolbar
to expand the Toolbar, click Add criteria, choose the properties by which you
want to search, click Add, and then configure the criteria as appropriate. The
Web Interface will search for objects that match the criteria that you
configured.
3. Press Enter to start the search.
The search results are listed on the Search page. You can customize the list by adding or
removing list columns and sorting the list by column data. To add or remove list columns,
click the Menu button on the left side of the Toolbar and then click Choose columns (see
also Adding or removing columns from the list of objects earlier in this document). To sort
the list by column data, click column headings.
Example: Searching by object type
The following steps demonstrate how you can use the search function to list all groups that
exist in the Active Directory domains managed by Active Roles:
1. Click Search on the Navigation bar.
2. Click the button on the right side of the Toolbar to expand the Toolbar, click Add
criteria, select the check box next to Object type is
User/InetOrgPerson/Computer/Group/Organizational Unit, and then click
the Add button.
3. On the Toolbar, click Group in the list next to The object type is, and then
press Enter.
Active Roles 7.4.5 Web Interface User Guide
18
Web Interface Basics
Filtering the contents of a container
If a container, such as an organizational unit in your Active Directory, holds large number
of objects, you can narrow down the displayed list of objects by filtering the objects held in
that specific container.
To filter the objects held in a container
1. Navigate to the container in the Web Interface.
To navigate to a container, you can search for the container object (see Searching for
directory objects) and then click its name in the list of search results on the Search
page. Alternatively, you can browse for the container objects by using the Browse
pane and the List of objects.
IMPORTANT: The scope of filtering is always set to the current container, and
does not include any subcontainers of that container. Filtering is essentially a
search for objects held in a given container only. If you want to search the
current container and all of its subcontainers, click Search under this
container in the Command pane, and then configure and perform a search as
described in Searching for directory objects earlier in this document.
2. Specify how you want to filter the objects held in the container:
l To filter objects by naming properties, type in the Filter field on the Toolbar
and then press Enter or click the button next to the Filter field. The list of
objects will include only the objects whose naming properties match what you
typed. The naming properties include name, first name, last name, display
name, and logon name.
l To filter objects by other properties, click the button on the right side of the
Toolbar to expand the Toolbar, click Add criteria, choose the properties by
which you want to filter, click Add, and then configure the criteria as
appropriate. The list of objects will include only the objects that match the
criteria you configured.
3. To apply the filter, press Enter or click the button next to the Filter field on
the Toolbar.
When a filter is applied to a container, the Web Interface lists a subset of all objects held in
that container. You can remove the filter to view all objects: If you did not add criteria,
clear the Filter field on the Toolbar and then press Enter; otherwise, expand the Toolbar,
click Clear all, and then press Enter.
Example: Filtering by object type
The following steps demonstrate how you can configure a filter that lists only user accounts
held in a particular organizational unit, removing objects of any other type from the list:
Active Roles 7.4.5 Web Interface User Guide
19
Web Interface Basics
1. Navigate to the organizational unit in the Web Interface.
2. Click the button on the right side of the Toolbar to expand the Toolbar, click Add
criteria, select the check box next to Object type is
User/InetOrgPerson/Computer/Group/Organizational Unit, and then click
the Add button.
3. On the Toolbar, confirm that the field next to The object type is reads User and
then click the button next to the Filter field, or press Enter.
Using personal views
In the Web Interface, you can use search or filter queries to locate directory objects. To
create a query, you specify a set of rules that determine the contents of the resulting list of
objects. You can, for instance, specify that only user accounts held in a particular
organizational unit should be listed. In addition, you can adjust the set of columns and the
sort order in the list of search or filtering results.
The ability to locate the objects you target is crucial as you need to focus your attention on
only those objects that apply to the task you are performing. However, creating a search or
filter query that displays the objects you are interested in for a particular task can be time-
consuming. Personal views provide a way for you to save that work. Once you have
created a query that displays just the objects you need, you can provide the query with a
name and save it to use later. That saved query is a personal view. Each view saves the
following settings that you specify: the container to search or filter; the search or filtering
criteria; the set of columns and the sort order in the list of search or filtering results.
Creating a personal view
Personal views are like search or filter queries that you have named and saved. After
creating a personal view, you will be able to reuse it without re-creating its underlying
search or filter query. To reuse a personal view, click the name of that view on the Views
tab in the Browse pane. The Web Interface applies the search or filter query saved in the
view, and displays the results in the list with the same set of columns and sort order as
when you created the view.
To create a personal view
1. Do one of the following:
l Configure and perform a search. For instructions, see Searching for
directory objects.
l Create a filtered list of objects. For instructions, see Filtering the contents of
a container.
2. Click the Menu button on the left side of the Toolbar, and then click Save
current view.
Active Roles 7.4.5 Web Interface User Guide
20
Web Interface Basics
3. In the dialog box that appears, type a name for the personal view, and then
click Save.
Changing a personal view
The personal views that you created are listed on the Views tab in the Browse pane. When
you select a view in the Browse pane, Web Interface applies the search or filter query
saved in the view, and displays the results in the list with the same set of columns and sort
order as when you created the view. At this point, you can make changes to the search or
filter criteria, set of columns and sort order, and then save the changed settings to the
selected personal view or create a new personal view based on the changed settings.
To save the changed settings to the selected personal view
1. Select a personal view in the Browse pane.
2. Make changes to the search or filter criteria, list columns or sort order.
3. Click the Menu button on the left side of the Toolbar, and then click Save
current view.
4. In the dialog box that appears, don’t change the name of the view. Click Save.
To create a new personal view based on the changed settings
1. Select a personal view in the Browse pane.
2. Make changes to the search or filter criteria, list columns or sort order.
3. Click the Menu button on the left side of the Toolbar, and then click Save
current view.
4. In the dialog box that appears, type a name for the new personal view and
then click Save.
You can also rename or delete personal views.
To rename a personal view
l On the Views tab in the Browse pane, click the Edit button next to the name of the
view, type a new name, and then press Enter or click the Edit button once more.
To delete a personal view
l On the Views tab in the Browse pane, click the Delete button next to the name
of the view.
Active Roles 7.4.5 Web Interface User Guide
21
Web Interface Basics
Performing Management Tasks
l Managing your personal account
l Managing Active Directory objects
l Running an automation workflow
l Managing temporal group memberships
l Managing AD LDS data
l Managing computer resources
l Restoring deleted objects
Managing your personal account
The User Profile Editor section in the Web Interface site for self-administration gives
you a convenient way to display and update your own identity information, such as your
telephone numbers or mail address in your user account. The contents of the pages in the
User Profile Editor section can be customized by the Active Roles administrator, who can
add new elements to the pages, modify or remove existing elements, and regroup related
elements on different tabbed pages.
To view or modify your user account
1. In your Web browser, go to the address (URL) of the Web Interface site for self-
administration.
By default, the address is http://<server>/ARWebSelfService where <server>
stands for the name of the server running the Web Interface.
2. On the Web Interface Home page, click User Profile Editor.
3. Use the page provided by the Web Interface to view or modify your user account.
4. Click the Save button to apply your changes.
It’s up to the Active Roles administrator to determine what information you are authorized
to view or modify on the User Profile Editor page. Some fields on the page might not be
editable. The fields that you are not permitted to modify appear on the page as read-only
text. The properties that you are not permitted to view are not displayed on the User
Profile Editor page.
Active Roles 7.4.5 Web Interface User Guide
22
Performing Management Tasks
Managing Active Directory objects
The Directory Management section of the Web Interface allows you to browse for, and
administer, directory objects in your organization. You can navigate through containers in
the directory; view, filter and select objects held in the container; and apply commands to
the selected object or container.
Whether you can perform a certain management task depends upon permissions granted to
your user account, and the Web Interface customization settings.
A general procedure for performing a Directory Management task is as follows.
To perform a management task
1. On the Navigation bar, click Directory Management.
2. On the Views tab in the Browse pane, click one of the following:
l To manage objects in Active Directory containers, such as domains or
organizational units, click Active Directory. This displays a list of Active
Directory domains.
l To manage directory objects in a certain Managed Unit, click Managed Units.
This displays a list of Managed Units.
3. In the list of objects, do one of the following:
l To navigate to a container, such as an organizational unit, click the name of
that container.
l To perform a command that applies to the current container, click that
command in the Command pane under the name of the current container.
l To perform a command on a particular object held in the current container,
select the check box next to the name of that object, and then click the
command in the top area of the Command pane, under the name of the object.
l To perform a command on two or more objects at a time, select the check box
next to the name of each object, and then click the command in the top area of
the Command pane.
NOTE: In the list of objects, clicking the name of a leaf object such as a user or
group, displays a page where you can view or modify object properties; clicking a
container object such as a domain or an organizational unit, displays a list of
objects held in that container.
When you perform a management tasks, the Web Interface supplements and restricts your
input based on policies and permissions defined in Active Roles. The Web Interface displays
the data generated by policies, and prevents the input of data that would cause policy
violations. The following rules apply:
l If a policy requires that a value be specified for a particular property, the name of
the field for that property is marked with an asterisk (*).
Active Roles 7.4.5 Web Interface User Guide
23
Performing Management Tasks
l If a policy imposes any restrictions on a property, an information icon is displayed
next to the name of the field for that property. Click the icon to view policy
information, which you can use to enter an acceptable value.
l When you specify a property value that violates a policy, and click Save, the
Web Interface displays an error message. Review the error message and
correct your input.
l Pages for object creation must include the entries for all required properties.
Otherwise, the Web Interface fails to create the object. For information on how to
configure forms, see “Configuring forms” in the Active Roles Web Interface
Administration Guide.
l Object property pages display the values of the properties for which you have the
Read permission. You can modify only those properties for which you have the Write
permission. The properties for which you only have the Read permission are
displayed as read-only.
l The Command pane includes only the commands that you are permitted to use.
l The list of objects includes only the objects that you are permitted to view.
Batch operations
In the Web Interface, you can select multiple objects (such as users, groups and
computers), and then apply a certain command to your selection of objects. This allows
you to perform a batch operation on all the selected objects at a time instead of executing
the command on each object separately. The Web Interface supports the following batch
operations:
l Delete Allows you to delete multiple objects at a time.
l Deprovision Allows you to deprovision multiple users or groups at a time.
l Move Allows you to move a batch of objects to a different organizational unit
or container.
l Add to groups Allows you to add a batch of objects to one or more groups of
your choice.
l Update object attributes Allows you to perform bulk attributes operations on
multiple users at a time.
l Reset Password Allows you to reset the password for multiple users at a time.
Batch operations are available in the list of objects on the following Web Interface pages:
l Search This page lists the search results when you perform a search.
l View Contents This page displays the objects held in a given organizational unit,
Managed Unit, or container.
To perform a batch operation, select the check box next to the name of each of the desired
objects in the list, and then click a command in the top area of the Command pane. This
executes the command on each object within your selection.
Active Roles 7.4.5 Web Interface User Guide
24
Performing Management Tasks
NOTE: Active Roles administrators can customize Web Interface by adding and removing
commands, and modifying pages associated with commands. For more information, see
“Customizing the Web Interface” in the Active Roles Web Interface Administration Guide.
Example 1: Enabling a user account
This topic demonstrates how to enable a disabled user account by using the Web Interface.
To enable a disabled user account
1. Locate the user account you want to enable. For instructions on how to locate objects
in the Web Interface, see Locating directory objects earlier in this document.
2. In the list of objects, select the user account you want to enable.
3. In the Command pane, click Enable Account.
NOTE: If the user account is not disabled, the Command pane includes the Disable
Account command instead of the Enable Account command.
Example 2: Adding a user to a group
This demonstrates how to add a user account to a group by using the Web Interface.
To add a user account to a group
1. In the Web Interface locate and select the user account. For instructions on how
to locate objects in the Web Interface, see Locating directory objects earlier in
this document.
2. In the Command pane, click Member Of.
3. On the Member Of page that appears, click Add.
4. On the Select Object page that appears, perform a search to locate the group. For
instructions on how to configure and start a search, see Searching for directory
objects earlier in this document.
5. In the list of search results on the Select Object page, select the group to which you
want to add the selected user account, and then click Add.
Running an automation workflow
Workflow refers to a sequence of actions that leads to the completion of a certain task.
Active Roles allows administrators to configure various workflows that can be started on a
scheduled basis or on user demand. This workflow type is called automation workflow. For
more information, see “Automation workflow” in the Active Roles Administration Guide.
Active Roles 7.4.5 Web Interface User Guide
25
Performing Management Tasks
If an automation workflow is configured so that running it on demand is allowed, then such
a workflow can be run from the Web Interface.
To run an automation workflow from the Web Interface
1. On the Navigation bar, click Directory Management.
2. On the Tree tab in the Browse pane, expand the Workflow branch and click the
container that holds the desired workflow.
3. In the list of objects, select the desired workflow.
4. In the Command pane, click Run.
5. If prompted, review or change the values of the workflow parameters.
6. Click OK in the confirmation message box.
The Web Interface prompts you for parameter values if the workflow has any parameters
that need to be supplied by the user running the workflow on demand. If the workflow has
no parameters that require user input, then the Web Interface starts the workflow without
prompting you for parameter values.
Once you have started an automation workflow, the Web Interface opens a run history
report allowing you to examine the progress of workflow execution. The report displays the
workflow execution status along with information about the activities performed during
workflow run. For a workflow that is in progress you have the option to cancel execution of
the workflow by clicking the Terminate button.
After the workflow is completed, the report retains history information about the workflow
run. For each completed run of the workflow, the report allows you to identify when and by
whom the workflow was started, when the workflow was completed, and what parameter
values were used.
The report also lists the workflow activities that were executed during the workflow run.
For each activity, you can determine whether the activity was completed successfully or
returned an error. In case of error, the report provides an error description. For activities
requesting changes to directory data (for example, activities that create new objects or
modify existing objects), you can examine the requested changes in detail by clicking the
Operation ID number in the run history report.
To view run history of an automation workflow in the Web Interface
1. On the Navigation bar, click Directory Management.
2. On the Tree tab in the Browse pane, expand the Workflow branch and click the
container that holds the desired workflow.
3. In the list of objects, select the desired workflow.
In the Command pane, click Run History.
Active Roles 7.4.5 Web Interface User Guide
26
Performing Management Tasks
Managing temporal group memberships
By using temporal group memberships, you can manage group memberships of objects
such as user or computer accounts that need to be members of particular groups for only a
certain time period. This feature gives you flexibility in deciding and tracking what objects
need group memberships and for how long.
This section guides you through the tasks of managing temporal group memberships in the
Web Interface. If you are authorized to view and modify group membership lists, then you
can add, view and remove temporal group members as well as view and modify temporal
membership settings on group members.
Adding temporal members
A temporal member of a group is an object, such as a user, computer or group, scheduled
to be added or removed from the group. You can add and configure temporal members
using the Web Interface.
To add temporal members of a group
1. In the Web Interface, select the group, and then choose the Members command.
2. On the Members page, click Add.
3. In the Select Object dialog box find and select the objects that you want to make
temporal members of the group, and then click Temporary Access.
4. In the Temporal Membership Settings dialog box, choose the appropriate
options, and then click OK:
l To have the temporal members added to the group on a certain date in the
future, select On this date under Add to the group, and choose the date and
time you want.
l To have the temporal members added to the group at once, select Now under
Add to the group.
l To have the temporal members removed from the group on a certain date,
select On this date under Remove from the group, and choose the date
and time you want.
l To retain the temporal members in the group for indefinite time, select Never
under Remove from the group.
NOTE: You can make an object a temporal member of particular groups by
managing the object rather than the groups. Select the object, and then choose the
Member Of command. On the Member Of page, click Add. In the Select Object
dialog box, find and select the groups, and specify the temporal membership
settings as appropriate for your situation.
Active Roles 7.4.5 Web Interface User Guide
27
Performing Management Tasks
Viewing temporal members
In the list of group members displayed by the Web Interface, you can distinguish between
regular and temporal group members. It is also possible to hide or display so-called
pending members, the temporal members that are scheduled to be added to the group in
the future but are not actual members of the group so far.
To view temporal members of a group
1. In the Web Interface, select the group, and then choose the Members command.
2. Review the list on the Members page:
l An icon of a small clock overlays the icon for the temporal members.
l If the Show pending members check box is selected, the list also includes
the temporal members that are not yet added to the group.
The list of group memberships for a particular object makes it possible to distinguish
between the groups in which the object is a regular member and the groups in which the
object is a temporal member. It is also possible to hide or display so-called pending group
memberships, the groups to which the object is scheduled to be added in the future.
To view groups in which an object is a temporal member
1. In the Web Interface, select the object, and then choose the Member Of command.
2. Review the list on the Member Of page:
l An icon of a small clock overlays the icon for the groups in which the object is a
temporal member.
l If the Show pending group memberships check box is selected, the
list also includes the groups to which the object is scheduled to be added
in the future.
Rescheduling temporal group memberships
The temporal membership settings on a group member include the start time and end
time settings.
The start time setting specifies when the object is to be actually added to the group. This
can be specific date and time or an indication that the object should be added to the group
right away.
The end time setting specifies when the object is to be removed from the group. This
can be specific date and time or an indication that the object should not be removed
from the group.
You can view or modify both the start time and end time settings using the Web Interface.
Active Roles 7.4.5 Web Interface User Guide
28
Performing Management Tasks
To view or modify the start or end time setting for a member of a group
1. In the Web Interface, select the group, and then choose the Members command.
2. In the list on the Members page, select the member and then click the Temporary
Access button.
3. Use the Temporal Membership Settings dialog box to view or modify the start or
end time settings.
The Temporal Membership Settings dialog box provides the following options:
l Add to the group | Now Indicates that the object should be added to the
group at once.
l Add to the group | On this date Indicates the date and time when the object
should be added to the group.
l Remove from the group | Never Indicates that the object should not be removed
from the group.
l Remove from the group | On this date Indicates the date and time when the
object should be removed from the group.
Regular members have the Add to group and Remove from group options set to
Already added and Never, respectively. You can set a particular date for any of these
options in order to convert a regular member to a temporal member.
NOTE:
l You can view or modify the start time and end time settings by managing an object
rather than the groups in which that object has memberships. select the object,
and then choose the Member Of command. On the Member Of page, select the
group for which you want to manage the object’s start or end time setting and click
Temporary Access.
l On the Members or Member Of page, you can change the start or end time
setting for multiple members or groups at a time. On the page, select multiple list
items, click Temporary Access, and then, in the Temporal Membership
Settings dialog box, make the changes you want.
Removing temporal members
You can remove temporal group members in the same way as regular group members.
Removing a temporal member of a group deletes the temporal membership settings for
that object with respect to that group. As a result, the object will not be added to the
group. If the object already belongs to the group at the time of removal, then it is
removed from the group.
To remove a temporal member of a group
1. In the Web Interface, select the group, and then choose the Members command.
2. On the Members page, select the member, and click Remove.
Active Roles 7.4.5 Web Interface User Guide
29
Performing Management Tasks
NOTE: You can remove an object that is a temporal member of a group by managing the
object rather than the group. Select the object, and then choose the Member Of
command. On the Member Of page, select the group from the list and click Remove.
Managing AD LDS data
You can use the Web Interface to manage directory data in Microsoft Active Directory
Lightweight Directory Services (AD LDS). Similarly to Active Directory domains, directory
data can be managed in only the AD LDS instances that are registered with Active Roles
(managed AD LDS instances).
The application directory partitions found on the managed AD LDS instances are grouped
together in the AD LDS (ADAM) container, thus making it easy to locate the AD LDS data.
Each directory partition is represented by a separate container (node) so you can browse
the partition tree the same way you do for an Active Directory domain.
The Web Interface supports a wide range of administrative operations on AD LDS users,
groups and other objects, so you can create, view, modify, and delete directory objects,
such as users, groups, containers and organizational units, in AD LDS the same way you do
when managing data in Active Directory.
To browse the directory tree in AD LDS directory partitions
1. On the Navigation bar, click Directory Management.
2. In the Browse pane, click the Tee tab.
3. On the Tree tab, do the following:
a. Expand the AD LDS (ADAM) container.
b. Under AD LDS (ADAM), expand a directory partition object to view its top-
level containers.
c. Expand a top-level container to view the next level of objects in that container.
4. Do one of the following:
l To move down a directory tree branch, continue expanding the next lowest
container level on the Tree tab.
l To administer a directory object at the current directory level, click a container
on the Tree tab and use the instructions that follow.
To manage directory data in AD LDS
On the Tree tab in the Browse pane, under AD LDS (ADAM), click the container that holds
the data you want to manage.
1. In the list of objects, select the object that represents the directory data you
want to manage.
2. Use commands in the Command pane to perform management tasks.
Active Roles 7.4.5 Web Interface User Guide
30
Performing Management Tasks
NOTE: In the list of objects, clicking the name of a leaf object, such as a user or group,
displays a page intended to view or modify object properties; clicking a container
object, such as a partition or an organizational unit, displays a list of objects held in
that container.
Managing computer resources
You can use the Web Interface to manage the following computer resources:
l Services Start or stop a service, view or modify properties of a service.
l Network file shares Create a file share, view or modify properties of a file share,
stop sharing a folder.
l Logical printers Pause, resume or cancel printing, list documents being printed,
view or modify properties of a printer.
l Documents being printed (print jobs) Pause, resume, cancel or restart printing
of a document, view or modify properties of a document being printed.
l Local groups Create or delete a group, add or remove members from a group,
rename a group, view or modify properties of a group. Unavailable on domain
controllers.
l Local users Create or delete a local user account, set a password for a local user
account, rename a local user account, view or modify properties of a local user
account. Unavailable on domain controllers.
l Devices View or modify properties of a logical device, start or stop a logical device.
To manage computer resources
1. In the Web Interface, locate the computer that hosts resources you want to manage.
For instructions on how to locate objects in the Web Interface, see Locating directory
objects earlier in this document.
2. Select the computer in the list of objects, and then click Manage in the
Command pane.
3. In the list of resource types, click the type of resource you want to manage.
4. In the list of objects that appears, select the resource you want to manage.
5. Use commands in the Command pane to perform management tasks on the
selected resource.
To manage print jobs
1. Repeat Steps 1–2 of the previous procedure, to start managing computer resources.
2. In the list of resource types, click Printers to view a list of printers found on the
computer you selected.
3. In the list of printers, select a printer whose print jobs you want to manage.
4. In the Command pane, click Print Jobs to view a list of documents being printed.
Active Roles 7.4.5 Web Interface User Guide
31
Performing Management Tasks
5. In the list of documents, select a document to pause, resume, restart, or
cancel printing.
6. Use commands in the Command pane to perform management tasks on the
selected document.
Restoring deleted objects
The Web Interface can be used to restore deleted objects in any managed domain that is
configured to enable Active Directory Recycle Bin—a feature of Active Directory Domain
Services introduced in Microsoft Windows Server 2008 R2.
To undo deletions, Active Roles relies on the ability of Active Directory Recycle Bin to
preserve all attributes, including the link-valued attributes, of the deleted objects. This
makes it possible to restore deleted objects to the same state they were in immediately
before deletion. For example, restored user accounts regain all group memberships that
they had at the time of deletion.
This section provides instructions on how to restore deleted objects by using the Web
Interface. For more information, see the “Recycle Bin” chapter in the Active Roles
Administration Guide.
Locating deleted objects
If Active Directory Recycle Bin is enabled in a managed domain, the Web Interface
provides access to the Deleted Objects container that holds the deleted objects from
that domain. On the Tree tab in the Browse pane, the Deleted Objects container
appears at the same level as the domain object, under the Active Directory node. If
multiple managed domains have Active Directory Recycle Bin enabled, then a separate
container is displayed for each domain. To tell one container from another, the name of
the container includes the domain name (for example, MyDomain.MyCompany.com -
Deleted Objects).
When you select the Deleted Objects container, the Web Interface lists all the deleted
objects that exist in the corresponding domain. The list can be sorted or filtered as
appropriate to locate particular objects (see Managing the list of objects earlier in this
document). If you click an object in the list, a menu appears that displays all actions you
can perform on that object.
Searching the Deleted Objects container
To locate deleted objects, you can perform a search in the Deleted Objects container:
1. On the Tree tab in the Browse pane, click the Deleted Objects container.
2. In the Command pane, click Search under this container.
Active Roles 7.4.5 Web Interface User Guide
32
Performing Management Tasks
3. Specify criteria for the deleted objects that you want to find:
l To search by naming properties, type in the Search field on the Toolbar. The
Web Interface will search for objects whose naming properties match what you
typed. The naming properties include name, first name, last name, display
name, and logon name.
l To search by other properties, click the button on the right side of the Toolbar
to expand the Toolbar, click Add criteria, choose the properties by which you
want to search, click Add, and then configure the criteria as appropriate. The
Web Interface will search for objects that match the criteria that you
configured.
4. Press Enter to start the search.
Locating objects deleted from a certain OU or MU
To view a list of objects that were deleted from a particular Organizational Unit (OU) or
Managed Unit (MU), you can use the View or Restore Deleted Objects command. The
command opens a page that lists the deleted objects that were direct children of the
corresponding OU or MU at the time of deletion.
To view a list of objects that were deleted from a particular OU or MU
1. Select the OU or MU that held deleted objects you want to view.
2. In the Command pane, click View or Restore Deleted Objects.
The Web Interface lists the objects that were deleted from the OU or MU you selected. The
list can be sorted or filtered as appropriate to locate particular objects (see Managing the
list of objects earlier in this document).
NOTE: The View or Restore Deleted Objects command is also available on domain
and container objects.
Restoring a deleted object
You can restore deleted objects by using the Restore command that is available in the
Command pane when you select a deleted object in the Web Interface.
To restore a deleted object
1. In a list of deleted objects, select the object you want to undelete. For instructions on
how to build a list deleted objects, see Locating deleted objects.
2. In the Command pane, click Restore.
3. Review and, if necessary, change the settings in the Restore Object dialog box, and
then click OK to start the restore process.
The Restore Object dialog box prompts you to choose whether the deleted child objects
(descendants) of the deleted object should also be restored. The Restore child objects
Active Roles 7.4.5 Web Interface User Guide
33
Performing Management Tasks
check box is selected by default, which ensures that the Restore command applied on a
deleted container restores the entire contents of the container.
NOTE: When restoring a deleted object, ensure that its parent object is not deleted. You
can identify the parent object by viewing properties of the deleted object: the canonical
name of the parent object, preceded with the “Deleted from:” label, is displayed beneath
the name of the deleted object on the property page for that object. If the parent object
is deleted, you need to restore it prior to restoring its children because deleted objects
must be restored to a live parent.
Active Roles 7.4.5 Web Interface User Guide
34
Performing Management Tasks
Using Approval Workflow
l Understanding approval workflow
l Locating approval items
l Using “My Tasks”
l Using “My Operations”
Understanding approval workflow
The approval workflow system included with Active Roles provides:
l A point-and-click interface to configure approval rules, available from the Active
Roles console. The approval rules are stored and performed by the Active Roles
Administration Service.
l The directory management section of the Web Interface for submitting operation
requests for approval. For example, approval rules could be configured so that
creation of a user account starts an approval workflow instead of immediately
executing the user creation operation. For information on how to use the
directory management section, see Managing Active Directory objects earlier in
this document.
l The Approval area of the Web Interface to manage operation requests and
approvals. This area includes a “to-do” list of the approval tasks the designated user
has to carry out, allowing the user to approve or reject operation requests.
The Approval area provides a way to perform change approval actions, allowing you to
control changes to directory data that require your approval and monitor your operations
that require approval by other persons. You can use the Approval area to:
l Perform approval tasks—approve or reject operations so as to allow or deny the
requested changes to directory data. Examples of operations include (but not limited
to) creation and modification of user accounts or groups.
l Check the status of your operations—examine whether the changes to directory data
you requested are approved and applied, or rejected.
When a Web Interface user makes changes to directory data that require permission from
other individuals in an organization, the changes are not applied immediately. Instead, an
operation is initiated and submitted for approval. This starts a workflow that coordinates
the approvals needed to complete the operation. The operation is performed and the
requested changes are applied only after approval. An operation may require approval
from one person or from multiple persons.
When an operation is submitted for approval, Active Roles tracks the initiator and the
approver or approvers. The initiator is the person who requested the changes. Approvers
are those who are authorized to allow or deny the changes. An operation that requires
Active Roles 7.4.5 Web Interface User Guide
35
Using Approval Workflow
approval generates one or more approval tasks, with each approval task assigned to the
appropriate approver. Active Roles administrators configure approval workflow by creating
approval rules to specify what changes require approval and who is authorized to approve
or deny change requests.
In the Approval area, you can work with the operations for which you are assigned to the
approver role. As an approver, you are expected to take appropriate actions on your
approval tasks.
To access the Approval area
l On the Web Interface Home page, click in the Approval box.
Locating approval items
The Approval area provides a number of views to help you locate approval items—tasks
and operations:
l My Tasks Contains detailed entries representing the approval tasks assigned to
you. Depending on their status, the approval tasks are distributed into two views.
The Pending view allows you to manage the approval tasks awaiting your response.
The Completed view lists your approval tasks that have been completed.
l My Operations The Recent view lists your recent operations that required
approval, and allows you to examine the status and details pertinent to each
operation.
In addition to using the predefined views, you can locate operations and tasks by using the
search function.
To search for an operation or task by ID
1. In the right pane of the Web Interface page, under the Search label, type the ID
number of the operation or task in the Search by ID box.
2. Click the button next to the Search by ID box to start the search.
You can also search for approval items (operations and tasks) by properties other than
ID. For instance, you can find the operations that were initiated by a specific user.
Another example is the ability to locate approval tasks generated within a specific time
period. To access the advanced search function, click Advanced Search under the
Search label. Then, use the Advanced Search page to configure your search settings
and start a search.
Advanced search is the most comprehensive way to search for approval items such as
operations and tasks. Use it to find approval items based on their properties. You do this by
creating queries, which are sets of one or more rules that must be true for an item to be
found. An example of a query for operations is “Initiator is (exactly) John Smith.” This
specifies that you are searching for operations that have the Initiator property set to John
Smith’s use account.
Active Roles 7.4.5 Web Interface User Guide
36
Using Approval Workflow
With advanced search, you can use conditions and values to search for approval items
based on item properties (referred to as “fields” on the search page). Conditions are
limitations you set on the value of a field to make the search more specific. Each type of
item has a set of relevant fields and each type of field has a set of relevant conditions that
advanced search displays automatically.
Some fields, such as “Target object property,” require that you select a property to further
define your search. In this case, you configure a query to search for operations or tasks
specific to the approval of changes to the objects based on a certain property of those
objects. For example, to find the operations that request any changes to the “Description”
property, you could select the “Target object property” field, select the “Description”
property, and then choose the “Modified” condition.
Some conditions require a value. For example, if you select a Date field, the “Is between”
condition requires a date range value so you have to select a start date and an end date to
specify a date range. Another example is the Initiator field, which requires that you select
a user account of the Initiator role holder.
In some cases, a value is not required. For example, if you select the “Modified” condition,
value is not necessary since this condition means that you want your search to be based on
any changes to a certain property, without considering what changes were actually
requested or made to the property value.
The following topics cover the predefined views of the Approval section.
Using “My Tasks”
You can use the My Tasks area to work with the approval tasks assigned to you as an
approver. According to their status, the tasks are distributed into two views: Pending
and Completed.
For information about the Pending view, see Pending tasks.
For information about the Completed view, see Completed tasks.
Pending tasks
The Pending view contains a list of your approval tasks to be completed. Each task in the
list is identified by a header area that provides basic information about the task such as a
unique ID number of the task, who requested the operation that is subject to approval,
when the task was created, the time limit of the task (if any), and the target object of the
operation. In the middle of a task’s header area is a section that contains the title of the
task (Approve operation by default), a label indicating the status of the task, and
summary information about the operation that is subject to approval.
The task’s header area contains the action buttons you can use to apply the appropriate
resolution to the approval task. The action buttons are displayed at the bottom of the
header area. Which buttons are displayed depends upon configuration of the approval rule.
You may encounter the following action buttons there:
Active Roles 7.4.5 Web Interface User Guide
37
Using Approval Workflow
l Approve Click this button to allow the requested operation.
Depending on configuration of the approval and policy rules, the Web Interface may
request you to enter additional information that must be added to the operation
request. For example, when you approve the operation of creating a user account,
you may have to supply certain properties of the user account in addition to those
supplied by the administrator who requested creation of that user account. If
additional information is required, clicking Approve displays a page where you can
supply the required information. You can also access that page by clicking the
Examine task button.
l Reject Click this button to deny the requested operation.
l Escalate Click this button to assign the approval task to an approver of a
higher level.
This button is displayed if the approval rule has one or more approver levels
(referred to as escalation levels) configured in addition to the initial approver level.
Escalation levels are normally used to assign (escalate) the approval task
automatically to the approver of a higher level if the task is not completed in time.
The approval rule may be configured to allow approvers to escalate approval tasks
as needed, in which case the task’s header area contains the Escalate button.
l Delegate Click this button to assign the approval task to a different person. You can
select the user account of the person to whom you want to assign the task.
This button is displayed if the approval rule is configured with the option to allow
approvers to reassign (delegate) their approval tasks to others.
l Custom buttons The approval rule may add custom buttons to the task’s header
area. The action that Active Roles performs when you click a custom button depends
upon configuration of the workflow containing the approval rule. The administrator
who configures the workflow should normally supply an instruction on the use of
custom action buttons. To view the instruction, click the Examine task button. This
opens a page containing the same action buttons that you see in the task’s header
area. The instruction text is displayed above the action buttons on that page.
The task’s header area contains the Examine task button allowing you to get detailed
information about the task, review the object properties submitted for approval, and
supply or change additional properties. Clicking the Examine task button displays a
page containing a replica of the task’s header area, the action buttons, and a number
of information sections. Review the information on the page, supply or change the
object properties for which the task requests your input, and then click the appropriate
action button.
The page that appears when you click the Examine task button includes the following
information sections:
l Object properties
The contents of this section heavily depends upon configuration of the approval rule.
Thus the approval rule may request you to enter additional information that must be
added to the operation request. For example, when you approve the operation of
creating a user account, you may have to supply certain properties of the user
account in addition to those supplied by the administrator who requested creation of
Active Roles 7.4.5 Web Interface User Guide
38
Using Approval Workflow
that user account. In this case, enter the requested properties in the fields under
Supply or change the following properties.
Normally, the approval rule is configured so that the approver is allowed to review
the values of the object properties that were supplied or changed by the operation
that is subject to approval. The approval rule may also be configured to allow the
approver to change those property values. In either case, you can view or change
them in the fields under Review the properties submitted for approval.
l Approvers
This section displays a list of the user accounts or groups to which the approval task
is currently assigned. Any of the listed users or members of the listed groups can act
as an approver on the task in question.
l Approval progress
This section provides information on the date and time that the task was created and
whether the task was escalated to a higher approver level or reassigned (delegated)
to other persons. If the task was escalated, you can view when escalation occurred
and what caused escalation. If the task was reassigned (delegated), you can view
who and when delegated the task and to whom the task was delegated.
l Details
In this section you can view aggregated information about the approval task
properties and configuration, and some details of the operation that the task is
intended to allow or deny. The Operation ID filed provides a link to a page where
you can examine the operation in more detail.
To complete a pending task
1. Click Examine task in the task’s header area.
2. On the Object properties page, review, supply or change the object properties for
which the task requests your input, and then click the appropriate action button.
You can also complete a task by clicking the appropriate action button in the task’s header
area. However, if the current policy and approval rules require the approver to supply
some additional information, the Web Interface would open the Object properties page,
prompting you to configure the required properties.
Completed tasks
The Completed view contains a list of your approval tasks that are completed and do not
require approver action. Each task in the list is identified by a header area that provides
basic information about the task such as a unique ID number of the task, who requested
the operation that is subject to approval, when the task was created, and the target object
of the operation. In the middle of a task’s header area is a section that contains the title of
the task (Approve operation by default), a label indicating the status of the task, and
summary information about the operation that was subject to approval. The header area
also identifies the approver action that was applied to complete the task and the
completion reason, if any, specified by the approver who completed the task.
Active Roles 7.4.5 Web Interface User Guide
39
Using Approval Workflow
The task’s header area contains the Examine task button allowing you to get detailed
information about the task and review the object properties that were submitted for
approval or changed by the approver who completed the task. Clicking the Examine task
button displays a page containing a replica of the task’s header area and the following
information sections:
l Object properties
The contents of this section heavily depends upon configuration of the approval rule.
Thus the approval rule may request the approver to enter additional information that
must be added to the operation request. For example, when you approve the
operation of creating a user account, you may have to supply certain properties of
the user account in addition to those supplied by the administrator who requested
creation of that user account. The values of the properties supplied by the approver
are displayed in the fields under Supply or change the following properties.
Normally, the approval rule is configured so that the approver is allowed to review
the values of the object properties that were supplied or changed by the operation
that is subject to approval. The approval rule may also be configured to allow the
approver to change those property values. In either case, you can view them in the
fields under Review the properties submitted for approval.
l Approvers
This section displays a list of the user accounts or groups to which the approval task
was assigned.
l Approval progress
This section provides information on the date and time that the task was created, and
whether the task was escalated to a higher approver level or reassigned (delegated)
to other persons. If the task was escalated, you can view when escalation occurred
and what caused escalation. If the task was reassigned (delegated), you can view
who and when delegated the task and to whom the task was delegated.
The Task completed sub-section indicates the date and time that the task was
completed, identifies the approver who completed the task and the approver action
that was applied to complete the task, and lists the values of the object properties
that were supplied or changed by the approver.
l Details
In this section you can view aggregated information about the approval task
properties and configuration, and some details of the operation that was allowed or
denied by the completed task. The Operation ID filed provides a link to a page
where you can examine the operation in more detail.
Using “My Operations”
In the My Operations area, the Recent view lists your operation requests that are
waiting for approval from other individuals, as well as those allowed (approved) or denied
(rejected) by the approver. You can use this view to monitor the status of your requests.
Active Roles 7.4.5 Web Interface User Guide
40
Using Approval Workflow
You also have the option to cancel any of your requests that are not yet approved or
rejected.
Each operation listed in the Recent view is identified by a header area that provides basic
information about the operation such as a unique ID number of the operation, when and by
whom the operation was requested, and the target object of the operation. A section in the
middle of the operation header contains a summary of the operation, operation status and
an operation reason that was supplied when the operation was submitted for approval.
The operation summary identifies the operation type (such as Create user or Change
user) and may provide information about the changes to the object properties that result
from the operation. From the operation status you can tell whether the operation is waiting
for approval (pending), allowed (completed), denied (rejected) or canceled. If a given
operation is waiting for approval, you can remove the operation request by clicking the
Cancel operation button.
The operation header contains the View operation details button allowing you to get
detailed information about the operation and review the object properties that were
submitted for approval or changed by the approver who allowed the operation. Clicking the
Examine task button displays a page that contains a replica of the operation header and
the following information sections under the operation header:
l Properties changed during this operation
This section lists the object property values that were changed as a result of
the operation, new values assigned to the properties, and identifies who made
the changes.
l Workflow activities and policy actions
This section provides detailed information about all policies and workflows that
Active Roles performed when processing the operation request, including information
about the approval tasks created as a result of approval workflow activities. For each
approval task, you can view the status of the task along with aggregated information
about the properties and configuration of the task.
From the task status you can tell whether the task is waiting for completion
(pending), completed to allow the operation or rejected to deny the operation. From
the additional information about a task, you can identify, for instance, the approvers
to whom the task is assigned, the due date of the task, the approver who allowed or
denied the operation and what changes, if any, the approver made to the original
operation request.
l Operation details
This section contains additional information about the operation, including when and
by whom the operation was requested, the target object of the operation, the current
status of the operation, and the date and time that the record of the operation was
last updated.
Active Roles 7.4.5 Web Interface User Guide
41
Using Approval Workflow
About us
About us
One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.
Contacting us
For sales and other inquiries, such as licensing, support, and renewals, visit
https://www.oneidentity.com/company/contact-us.aspx.
Technical support resources
Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l Submit and manage a Service Request
l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to videos at www.YouTube.com/OneIdentity
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product
Active Roles 7.4.5 Web Interface User Guide
42
About us
You might also like
- NIAGARA EC-Net AX STUDY BOOK AND PRACTICE PDF50% (2)NIAGARA EC-Net AX STUDY BOOK AND PRACTICE PDF470 pages
- Instruction Manual: 82-P0801/E Single Channel Meter For The Calibration of Compression Machines100% (2)Instruction Manual: 82-P0801/E Single Channel Meter For The Calibration of Compression Machines15 pages
- A Common Person'S Wordperfect Macro Manual: Additional ResourcesNo ratings yetA Common Person'S Wordperfect Macro Manual: Additional Resources8 pages
- ActiveRoles Web Interface Administration GuideNo ratings yetActiveRoles Web Interface Administration Guide97 pages
- ActiveRoles Predefined Access Templates GuideNo ratings yetActiveRoles Predefined Access Templates Guide51 pages
- ActiveRoles WebInterfaceConfigurationGuideNo ratings yetActiveRoles WebInterfaceConfigurationGuide112 pages
- ActiveRoles 7.2 Azure AD Office365 Administrator GuideNo ratings yetActiveRoles 7.2 Azure AD Office365 Administrator Guide46 pages
- ActiveRoles 7.3 Azure AD Office365 Administration GuideNo ratings yetActiveRoles 7.3 Azure AD Office365 Administration Guide58 pages
- ActiveRoles Synchronization Service Administration GuideNo ratings yetActiveRoles Synchronization Service Administration Guide421 pages
- Synchronization Service Administration Guide: Active Roles 8.1.3No ratings yetSynchronization Service Administration Guide: Active Roles 8.1.3435 pages
- OneIM OperationsSupportWebPortal UserGuideNo ratings yetOneIM OperationsSupportWebPortal UserGuide48 pages
- Scalabilityand High Availabilityin SafeguardNo ratings yetScalabilityand High Availabilityin Safeguard21 pages
- OneIM TargetSystemBaseModule AdministrationNo ratings yetOneIM TargetSystemBaseModule Administration54 pages
- One Identity Manager Installation GuideNo ratings yetOne Identity Manager Installation Guide189 pages
- OneIM AzureActiveDirectory AdministrationNo ratings yetOneIM AzureActiveDirectory Administration248 pages
- ActiveRoles 7.3 Exchange Resource Forest Management Administration GuideNo ratings yetActiveRoles 7.3 Exchange Resource Forest Management Administration Guide36 pages
- Safeguard For Privileged Passwords - Administration Guide - 7.5No ratings yetSafeguard For Privileged Passwords - Administration Guide - 7.5712 pages
- Safeguard For Privileged Passwords - Administration Guide - 7.5.2No ratings yetSafeguard For Privileged Passwords - Administration Guide - 7.5.2704 pages
- How To Guide: One Identity Password Manager 5.8.2No ratings yetHow To Guide: One Identity Password Manager 5.8.251 pages
- Safeguard For Privileged Passwords - Administration Guide - 8.0No ratings yetSafeguard For Privileged Passwords - Administration Guide - 8.0752 pages
- Safeguard For Privileged Sessions Upgrade Guide - 70No ratings yetSafeguard For Privileged Sessions Upgrade Guide - 7032 pages
- International Retailer Jysk Eliminates Ad Issues With Active Roles Case Study 111457No ratings yetInternational Retailer Jysk Eliminates Ad Issues With Active Roles Case Study 1114573 pages
- OneIM AzureActiveDirectory AdministrationNo ratings yetOneIM AzureActiveDirectory Administration160 pages
- Self-Service Receiving View Only Role R10No ratings yetSelf-Service Receiving View Only Role R1016 pages
- User Manual - EN - STORION-G2-H30H50 For End UsersNo ratings yetUser Manual - EN - STORION-G2-H30H50 For End Users72 pages
- Foxtel User Manual G3 Atlas Dione Titan Flinders SMS and Omega PDFNo ratings yetFoxtel User Manual G3 Atlas Dione Titan Flinders SMS and Omega PDF32 pages
- QuickBooks Error H202 - Solutions To Resolve - Accountant SquadNo ratings yetQuickBooks Error H202 - Solutions To Resolve - Accountant Squad4 pages
- Introduction To Autodesk Inventor: Unit ObjectivesNo ratings yetIntroduction To Autodesk Inventor: Unit Objectives44 pages
- RAID Interactive Simulator 3 (Discrete RAID Controller) User's GuideNo ratings yetRAID Interactive Simulator 3 (Discrete RAID Controller) User's Guide12 pages
- TTD Series Configurable Fault Annunciator: Installation and Operations ManualNo ratings yetTTD Series Configurable Fault Annunciator: Installation and Operations Manual56 pages
- Formatting Text: To Change The Font SizeNo ratings yetFormatting Text: To Change The Font Size13 pages
- XP-TT428B - TT436Bserise - User - Manual 2019-09-04No ratings yetXP-TT428B - TT436Bserise - User - Manual 2019-09-0459 pages
