One Identity Active Roles

Web Interface Administration Guide

Copyright 2022 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this
guide is furnished under a software license or nondisclosure agreement. This software may be used
or copied only in accordance with the terms of the applicable agreement. No part of this guide may
be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser’s personal use without the
written permission of One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes
no representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity does not make any commitment to update the information
contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office
information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend

WARNING: A WARNING icon highlights a potential risk of bodily injury or property

damage, for which industry-standard safety precautions are advised. This icon is
often associated with electrical hazards related to hardware.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data

if instructions are not followed.

Active Roles Web Interface Administration Guide

Updated - April 2022
Version - 7.5.3
Contents

Introduction 8

Deploying the Web Interface 9

About the Web Interface 9
Different sites for different roles 10
Deployment tasks 11
Reusing an earlier configuration version 13

Getting Started 15
Configuring the Web browser 15
Configuring Google Chrome 16
Configuring Mozilla Firefox 16
Connecting to the Web Interface 17
Changing personal settings 17
Logging out of the Web Interface 18

Web Interface Basics 19

Administrative tasks overview 19
Directory Management 20
Search 20
Approval 20
Settings 21
Customization 21
User interface overview 22
Navigation bar 22
Browse pane 23
List of objects 23
Toolbar 23
Current container 24
Command pane 24
Summary pane 24
Object property pages 24
Notification and Feedback 25

Active Roles 7.5.3 Web Interface Administration Guide

3
Managing the list of objects 26
Sorting and filtering the list of objects 26
Adding or removing columns from the list of objects 27
Locating directory objects 27
Searching for directory objects 27
Example: Searching by object type 28
Filtering the contents of a container 29
Example: Filtering by object type 29
Using personal views 30
Creating a personal view 30
Changing a personal view 31

Performing Management Tasks 32

Managing your personal account 32
Managing Active Directory objects 33
Batch operations 34
Example 1: Enabling a user account 35
Example 2: Adding a user to a group 35
Running an automation workflow 35
Managing temporal group memberships 37
Adding temporal members 37
Viewing temporal members 38
Rescheduling temporal group memberships 38
Removing temporal members 39
Managing AD LDS data 40
Managing computer resources 41
Restoring deleted objects 42
Locating deleted objects 42
Searching the Deleted Objects container 42
Locating objects deleted from a certain OU or MU 43
Restoring a deleted object 43

Using Approval Workflow 45

Understanding approval workflow 45
Locating approval items 46
Using “My Tasks” 47

Active Roles 7.5.3 Web Interface Administration Guide

4
 Pending tasks 47
Completed tasks 49
Using “My Operations” 50

Customizing the Web Interface 52

Introduction 52
Terminology 53
Menu 53
Command 54
Form 54
Tabs 54
Entry 54
Link to Form Editor 54
Focus item 55
Toolbar 55
List of entries 56
Tab 56
Configuring menus 56
Creating a menu 56
Deleting a menu 57
Adding a command to a menu 57
Removing commands from a menu 58
Setting the default command on a menu 58
Adding a separator to a menu 59
Changing the order of commands on a menu 59
Configuring commands 59
Managing command properties 60
Creating or selecting a form for a command 60
Properties of a command 61
Common properties 62
Form Task properties 62
Search Task properties 63
Page View Task properties 64
Set Attribute Task properties 65
Command visibility options 65
Configuring forms 66

Active Roles 7.5.3 Web Interface Administration Guide

5
 Managing properties of a form 67
Adding a tab to a form 68
Deleting tabs from a form 68
Managing properties of a tab 69
Tab visibility options 69
Adding an entry to a form 70
Adding static text to a form 71
Deleting entries from a form 72
Managing properties of an entry 72
Type of entry 73
Entry for an attribute of DN syntax 74
Examples 76
Deleting a command from a menu 77
Adding an entry to a form 77
Global settings 78
Customizing the logo image 79
Customizing the Web Interface site icon 80
Customizing the name of the Web Interface user 81
Customizing the Navigation bar 82
Customizing the Home page 83
Configuring Web interface for enhanced security 85
Working with Cross-Site Request Forgery for web interface 86
Working with Cross-Site Scripting validation for Web interface 86
Impact of updating CSRF setting 87

Default Commands 88
Web Interface for Administrators 88
Domain menu 88
Container or OU menu 88
Managed Unit menu 89
User menu 90
Group menu 91
Computer menu 93
Web Interface for Help Desk 93
Domain menu 94
Container or OU menu 94

Active Roles 7.5.3 Web Interface Administration Guide

6
 Managed Unit menu 94
User menu 94
Group menu 95

About us 97
Contacting us 97
Technical support resources 97

Active Roles 7.5.3 Web Interface Administration Guide

7
 Introduction

The Active Roles Web Interface Administration Guide is for individuals who are responsible
for deploying and tailoring the Web Interface to suit the needs of their organization. This
document provides a brief overview of the Web Interface, explains the customization
capabilities, and provides instructions on how to customize the Web Interface and perform
administrative tasks.

Active Roles 7.5.3 Web Interface Administration Guide

8
Introduction
 Deploying the Web Interface

l About the Web Interface

l Deployment tasks

About the Web Interface

The Active Roles (formerly known as ActiveRoles®) Web Interface is a highly customizable,
easy-to-use Web-based application that facilitates the data administration and provisioning
in Active Directory. Via the Web Interface, an intranet user can connect to Active Roles
using a Web browser and perform day-to-day administrative tasks, including user
management tasks such as modifying personal data or adding users to groups.
A Web Interface user can perform administrative tasks and view or modify directory data.
However, the user’s scope of authority is limited by the rights delegated in Active Roles. A
user sees only the commands, directory objects, and object properties to which the user’s
role provides administrative access.
The Web Interface pages are easy to customize. An administrator can customize them
without modifying a single line of code. Menu commands can be added or removed,
and Web Interface pages can be modified by adding or removing fields that display
property values.
The key features and benefits of the Active Roles Web Interface include:
l Role-based suite of interfaces Enables multiple interfaces to coexist on an
intranet, with each interface providing a separate, administrative role-oriented,
customizable set of menus, commands, and forms.
l Dynamic configuration based on roles Dynamically adapts to meet the
roles assigned to Web Interface users. A user is only shown the commands,
directory objects, and object properties for which the user’s role provides
administrative access.
l Point-and-click customization An administrator can customize menus,
commands, and pages without writing a single line of code.
l Full-featured management of Active Directory accounts Provides for all
administrative tasks on Active Directory accounts, such as users, groups, and
computers. The Web Interface can be tailored for any category of administrative
personnel, whether day-to-day administrators, business data owners, help desk
operators, or even regular end-users.
l Management of computer resources Provides the ability to manage computer
resources such as printers, shares, services, devices, local users and groups.

Active Roles 7.5.3 Web Interface Administration Guide

9
Deploying the Web Interface
 l User Profile Editor Enables end users to manage personal or emergency data
through a simple-to-use Web interface, provided that the users have the appropriate
permissions specified with Active Roles.
l Instant application of corporate rules Efficiently supplements and restricts the
user input based on corporate rules defined with Active Roles: displays property
values generated according to the rules, and prohibits administrative users from
entering data that violate the rules.
l Single sign-on with integrated Windows authentication Provides for single
sign-on, without normally requiring users to type passwords again once they are
logged on and authenticated by the operating system.
l International support Incorporates international support through the language-
specific information and resource files that store user interface elements in
multiple languages.

Different sites for different roles

Multiple instances of the Web Interface, referred to as Web Interface sites, can be installed
with different configurations. The following is a list of configuration templates that are
available out-of-the box.
l Default Site for Administrators Supports a broad range of tasks, including the
management of directory objects and computer resources.
l Default Site for Help Desk Handles typical tasks performed by Help Desk
operators, such as enabling/disabling accounts, resetting passwords, and modifying
select properties of users and groups.
l Default Site for Self-Administration Provides User Profile Editor, allowing end
users to manage personal or emergency data through a simple-to-use Web interface.

Each configuration template provides an individual set of commands installed by default.

The Web Interface site can be customized by adding or removing commands, and by
modifying Web pages (forms) associated with commands.
Although the Web Interface dynamically adapts to roles assigned to users, the ability to
tailor separate Web Interface sites to individual roles gives increased flexibility to the
customer. It helps streamline the workflow of directory administrators and help-desk
personnel. Static configuration of interface elements ensures that Web Interface users
have access to the specific commands and pages needed to perform their duties.
Active Roles administrators can use the customization capabilities of the Web Interface to
add and remove commands and to modify Web pages (forms) associated with commands.
For information about how to perform customization, see “Customizing the Web Interface”
later in this document.
Multiple interfaces with different configurations can coexist on a network. Therefore, there
is no need to re-configure the Web Interface for each particular role.

Active Roles 7.5.3 Web Interface Administration Guide

10
Deploying the Web Interface
Deployment tasks
Active Roles makes it possible to deploy any number of Web Interface sites, with each site
having its own configuration or sharing the configuration with other sites. The configuration
of each Web Interface site is stored in the Active Roles database, and replicated by the
Active Roles Administration Services. This provides the following advantages:
l The configuration of an existing Web Interface site can be re-used
l Multiple Web Interface sites may share common configuration

A site’s configuration specifies customizable settings of user interface elements, such as

menus, commands, and pages (forms), displayed by the Web Interface. Each configuration
is identified by name, stored as an entity, and applied on a per-site basis.
When adding a new Web Interface site, you can apply a default configuration template or
select the configuration of an existing Web Interface site. A configuration template creates
a site with new configuration that can be customized as needed. Re-using the configuration
of an existing site causes sites to share common configuration.
When multiple Web Interface sites share common configuration, any customization of one
site is automatically applied to the others. For example, if you add a command or modify a
form on one site, the new command or modified form appears on all the other sites.
The procedure for deploying the Web Interface includes two stages:
l Installing and initially configuring the Web Interface At this stage, the files
are copied to the computer, and three Web Interface sites are created based on the
default configuration templates. For instructions on how to install the Web Interface
and perform initial configuration, see “Installing and configuring the Web Interface”
in the Active Roles Quick Start Guide.
l Creating, modifying or deleting a Web Interface site At this stage, you
can create additional Web Interface sites, and modify or delete existing Web
Interface sites.

When creating a new Web Interface site, you have the option to apply the configuration of
an existing Web Interface site to the newly created one. If you have the Web Interface site
tailored to suit your needs, and need to deploy its instance on another Web server, this
option ensures that the new Web Interface site has the same set of menus, commands and
pages as the existing one.
When initially configured, the Web Interface has three Web Interface sites each of which is
based on a default configuration templates. you can modify the Web server-related
parameters, such as the Web application alias, for these Web Interface sites, or delete Web
Interface sites. You can also create additional Web Interface sites.

To create, modify, or delete a Web Interface site

1. Open Active Roles Configuration Center.

You can open Configuration Center by selecting Active Roles 7.5.3 Configuration
Center on the Apps page or Start menu, depending upon the version of your
Windows operating system.

Active Roles 7.5.3 Web Interface Administration Guide

11
Deploying the Web Interface
2. In the Configuration Center main window, under Web Interface, click
Manage Sites.
3. On the Web Interface page, do one of the following:
l To create a new site, click Create.
l To modify an existing site, select the site from the list and click Modify.
l To delete a site, select the site from the list and click Delete.
l To export the configuration of a site to a file, select the site and click Export
Configuration.
4. View or change the following settings in the wizard that appears if click Create or
Modify:
l IIS Web site Specifies the IIS Web site containing the Web application that
implements the Web Interface site. You can select the desired Web site from a
list of all Web sites defined on the Web server.
l Alias Specifies the alias of the Web application that implements the Web
Interface site. The alias defines the virtual path used in the address of the Web
Interface site on the Web server.
l Configuration Create a new configuration based on a template and assign it
to the Web Interface site, or use the configuration of an existing Web Interface
site. It is also possible to import data from an existing configuration or from a
configuration export file.
Configuration specifies customizable settings of user interface elements, such
as menus, commands, and Web pages (forms), displayed by the Web
Interface. The configuration of a Web Interface site is stored as part of the
Active Roles configuration data, and is hosted by the Administration Service to
which the Web Interface is connected. Multiple sites may use the same
configuration. When you customize a Web Interface site, your changes are
saved in the site’s configuration.
On the Configuration page , you can choose from the following options:
l Keep the current configuration Choose this option when modifying an
existing Web Interface site if you do not want to assign a different configuration
to that site.
l Create from a template Create a new configuration for the Web Interface
site based on a template. With this option, you need to supply a unique name
for the new configuration and select the desired template.
Choose this option if you want the Web Interface site to use a separate
configuration that is initially populated with the template data.
l Use an existing configuration Assign an existing configuration to the Web
Interface site. With this option, you need to select the desired configuration
from a list of configurations found on the Administration Service. The list
includes the configurations of the current Active Roles version only.
Choose this option if you want the Web Interface site to share its configuration
with other Web Interface sites. For example, when creating a new instance of a

Active Roles 7.5.3 Web Interface Administration Guide

12
Deploying the Web Interface
 given site for load balancing, you should assign the configuration of that site to
the new Web Interface site.

Each Web Interface site can be accessed from a Web browser using the address based the
Web application alias:
http://<WebSite>/<Alias>
Here, <WebSite> identifies the IIS Web site containing the Web application that
implements the Web Interface site and <Alias> stands for the alias of that Web application,
as specified in Configuration Center. For example, if the Web application is contained in the
default Web site, the address is http://<Computer>/<Alias>, where <Computer> stands
for the network name of the computer (Web server) running the Web Interface.
By default, Web Interface users connect to the Web Interface using a HTTPs transport,
which encrypts the data transferred from a Web browser to the Web Interface. In case you
do not a secure transport for transferring data to the Web interface, you can disable the
HTTPs option using the Configuration Center.
The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided
by the Web server for data encryption. For instructions on how to enable SSL on your Web
server, see https://support.microsoft.com/en-in/help/324069/how-to-set-up-an-https-
service-in-iis.
If SSL is enabled, users specify an HTTPS prefix rather than an HTTP prefix when
connecting to the Web Interface.

Reusing an earlier configuration version

When you deploy the Web Interface, you use Configuration Center to create or modify Web
Interface sites. Configuration Center allows you to specify how you want a given Web
Interface site to be configured, by letting you create, select or import a so-called
configuration which is basically a collection of settings that fully determine the menus,
commands, forms and other elements of the pages provided by the Web Interface site.
For each Web Interface site, Active Roles stores the site’s configuration in a particular
object held in the Active Roles database, and allows the configuration to be identified by
that object. Configuration Center retrieves and enumerates configuration objects when it
builds a list of existing configurations.
During upgrade of Active Roles, Web Interface site configuration objects are merely copied
to the new Active Roles database. As a result, the database holds configuration objects of
an earlier version. If you want your new Web Interface sites to have the same configuration
as your Web Interface sites of the earlier version, you can use Configuration Center to
create configuration objects of the current version by importing configuration objects of an
earlier version.

To reuse a configuration of an earlier Web Interface version

1. On the Configuration page of the wizard for creating or modifying a Web

Interface site in Configuration Center, select the Import from an existing
configuration option.

Active Roles 7.5.3 Web Interface Administration Guide

13
Deploying the Web Interface
 2. In Configuration name, type a name for the new configuration that will be created
by importing an existing configuration, or accept the default name.
3. From the Configuration to import list, select the name of the configuration you
want to import.
To distinguish between different configuration versions, the version number is added
to the name of each configuration in the list.

One more situation that may require the use of an earlier configuration version is when you
need to restore the configuration of a Web Interface site from a backup. Configuration
Center allows you to export configuration to a file. The export file is a backup from which
the configuration can be restored if necessary. You can import the configuration from an
export file created by the current Active Roles version or by an earlier version.

To export the configuration of a Web Interface site to a file

l On the page for managing Web Interface sites in Configuration Center, select the
desired Web Interface site, click Export Configuration, and then supply the path
and name of the to which you want to export the configuration.

To import the configuration from an export file

1. On the Configuration page of the wizard for creating or modifying a Web Interface
site in Configuration Center, select the Import from a file option.
2. In Configuration name, type a name for the new configuration that will be created
by importing data from the export file, or accept the default name.
3. From the File to import field, select the export file.

Earlier Active Roles versions exported site configuration data to an export package (a
collection of export files) rather than a single export file. You can use Configuration Center
to import configuration from an export package: Click the Browse button next to the File
to import filed, navigate to the folder containing the export package files, and select
the .txt file that identifies the export package.

Active Roles 7.5.3 Web Interface Administration Guide

14
Deploying the Web Interface
 Getting Started

Active Roles (formerly known as ActiveRoles®) offers a convenient, easy-to-use,

customizable Web Interface that enables authorized users to perform day-to-day
administrative tasks, including user management tasks such as modifying personal data or
adding users to groups. Via the Web Interface, an intranet user can connect to Active Roles
using a Web browser. A user sees only the commands, directory objects, and object
properties to which the user’s role provides administrative access.
By default, the Web Interface includes three different sites—the site for Administrators, the
site for Help Desk, and the site for self-administration. The site for Administrators supports
a rich variety of administrative tasks, while the site for Help Desk supports a simplified set
of tasks to expedite the resolution of trouble tickets. The site for self-administration is
indented for managing personal accounts.
The Web Interface also allows setting the user interface language according to your
preferences. The language setting has effect on all menus, commands, and forms that
come with the Web Interface, as well as the tool tips and help. Thus, users can work with
the Web Interface in their own language.
The Web Interface delivers a reliable, comprehensive solution for users who have
administrative access to Active Roles to modify commands that the Web Interface provides
for without writing a single line of code, and enables such users to add and remove
commands on menus, and modify command pages by adding and removing fields that
display property values. For information on how to customize the Web interface, refer to
the Active Roles Web Interface Administration Guide.
The Active Roles Web Interface User Guide is for individuals who are responsible for
performing day-to-day administrative tasks. This document provides a brief overview of
the Web Interface, and includes step-by-step instructions on how to perform
administrative tasks.
The following topics describe the procedures for connecting to the Web Interface. First,
configure your Web browser to display the Web Interface pages properly. Then, connect to
the Web Interface. Finally, you may specify personal settings for the Web Interface.
l Configuring the Web browser
l Connecting to the Web Interface
l Changing personal settings
l Logging out of the Web Interface

Configuring the Web browser

There are several different Web browsers that you can use to access the Active Roles Web
Interface. No matter which browser you use, it must have JavaScript and cookies enabled.

Active Roles 7.5.3 Web Interface Administration Guide

15
Getting Started
JavaScript is a programming language for making Web pages interactive. Cookies are small
files stored on your computer that contain information about the Web Interface.
For instructions on how to enable JavaScript and cookies in your browser, see the
following topics.
l Configuring Google Chrome
l Configuring Mozilla Firefox

Configuring Google Chrome

To access the Active Roles Web Interface, Google Chrome must have JavaScript and
cookies enabled.

To enable JavaScript and cookies in Google Chrome

1. Click the Chrome menu button on the browser toolbar, and then click Settings.
2. On the Settings page, click Show advanced settings, and then click the Content
settings button in the Privacy section.
3. In the Content settings dialog box, do the following:
a. Make sure that the Allow local data to be set option is selected
under Cookies.
b. Make sure that the Allow all sites to run JavaScript option is selected under
JavaScript.
c. When finished, click Done.

Configuring Mozilla Firefox

To access the Active Roles Web Interface, Firefox must have cookies enabled. You don’t
need to worry about JavaScript as this option is normally enabled and, beginning with
Firefox 23, cannot be disabled or re-enabled by using the Options dialog box.

To enable cookies in Mozilla Firefox

1. Click Options on the Tools menu.

2. In the Options dialog box, do the following:
a. Click the Privacy button at the top of the dialog box.
b. Make sure that the Remember history option is selected in the History area.
c. When finished, click OK.

Active Roles 7.5.3 Web Interface Administration Guide

16
Getting Started
Connecting to the Web Interface
To connect to the Web Interface, you need to know the name of the Web server running the
Web Interface and the name of the Web Interface site you want to access. The default site
names are as follows:
l ARWebAdmin Site for administrators; supports a broad range of
administrative tasks
l ARWebHelpDesk Site for Help Desk; supports the most common
administrative tasks
l ARWebSelfService Site for self-administration; enables end users to manage their
personal accounts

To connect to the Web Interface

l In the address box of your Web browser, type the address of the Web Interface site,
and then press Enter.

For example, to connect to the default site for administrators, you might type
http://server/ARWebAdmin where server stands for the name of the Web server
running the Web Interface.

Changing personal settings

When using the Web Interface, you can specify the following personal settings:
l User interface language The language of the Web Interface pages. This setting
affects all menus, commands, and forms of the Web Interface, as well as tool tips and
help, allowing the user to view the Web Interface pages in the selected language.
l Maximum number of objects to display in search results Determines the
maximum number of objects displayed in single-page lists, such as lists of search
results or lists that show contents of containers.
l Use this setting cautiously because displaying a large number of objects may
adversely affect performance of your Web browser. Instead of displaying all objects,
it would be advisable to use searching and filtering to find the objects you need.
l Number of items to display per page in paged lists Determines the maximum
number of list items displayed on a single page in multi-page lists. Affects only the
lists, such as lists of approval tasks, that are divided into pages, causing each page to
display no more items than specified by this setting.
Use this setting cautiously. If you specify a small number, you will need to page
through list items. However, specifying an unreasonably large number may result in
poor performance of the list view.
l Number of page links to display for paged lists Determines the maximum
number of links to pages displayed for multi-page lists. Affects only the lists, such as

Active Roles 7.5.3 Web Interface Administration Guide

17
Getting Started
 lists of approval tasks, that are divided into pages, allowing the user to page through
list items by clicking page numbers beneath the list. This setting specifies how many
page numbers are to be shown and the duration of the Web Interface notification.

Active Roles saves these settings on a per-user basis in the configuration of the Web
Interface site. Once saved, the personal settings take effect regardless of which computer
is used to access the Web Interface. The user can have different personal settings for
different Web Interface sites.

To change personal settings

1. Click the Settings (gear) icon in the upper right corner of the Web Interface window.
2. Configure the settings as needed.
3. Click Save for the changes to take effect.

Logging out of the Web Interface

Logging out of the Web Interface can save Web Interface users from harmful security
breaches. Users should log out of the Web Interface when their work is completed.

To log out of the Web Interface

l Click the name of the current Web Interface user in the top right corner of the Web
Interface window, and then click Log out.

The Log out command closes the current Web Interface session and deletes all the
session-related data from the local computer.
Not logging out may pose a security risk (for example, if the user accesses the Web
Interface from a public computer). In such a case, the Web Interface can forcibly terminate
the session due to user inactivity.
The Web Interface provides an inactivity timeout, ensuring that the session is not terminate
unexpectedly. The administrator can specify the amount of continuous idle time that must
pass in a Web Interface session before a message box pops up to prompt the user for an
action. If the user does not respond to the prompt, the session is forcibly terminated after
an additional grace period.

Active Roles 7.5.3 Web Interface Administration Guide

18
Getting Started
 Web Interface Basics

l Administrative tasks overview

l User interface overview
l Managing the list of objects
l Locating directory objects
l Using personal views

Administrative tasks overview

The Web Interface home page displays categories of administrative tasks supported by the
Web Interface. The same categories are displayed along the vertical strip on the left side of
the Web Interface window, referred to as Navigation bar. Click icons on the Navigation bar
to perform the following tasks:
l Directory Management Browse for, and manage, directory objects, such as users
and groups. You can navigate through containers in the directory; view, filter and
select objects held in the container; and apply commands to the selected object
or container.
l Search Search for, and manage, directory objects. You can select containers in the
directory, and specify search criteria. The Web Interface searches in the selected
containers and all of their subcontainers, and lists the objects that match your search
criteria, allowing you to apply commands to objects in the list.
l Approval Perform the tasks related to approval of administrative operations.
The scope of your responsibilities depends upon your role in the approval
workflow processes.
l Settings Set up your personal settings that control the display of the Web
Interface pages.
l Customization Add, remove, or modify user interface elements, such as menu items
(commands) and pages (forms), intended to manage directory objects. This task
requires the rights of Active Roles Admin.

NOTE:
l For more information on extending the Active Roles provisioning and account
administration capabilities to your cloud applications, click the supported
connectors in the What's New section from the Active Roles drop-down list.
l On the title bar of the Active Roles Web Interface, click Feedback to provide a
product feedback. You are redirected to a new browser that allows you to provide
the feedback.

Active Roles 7.5.3 Web Interface Administration Guide

19
Web Interface Basics
 l For Admin site, by default, the feedback option is available.
l For HelpDesk site, navigate to Customization | Global Settings and check the
Enable user feedback link check-box to enable the feedback option.
l The feedback option is not available for SelfService site.

Directory Management
Directory Management allows you to browse for, and administer, directory objects in
your organization. Your Active Roles permissions determine which tasks you can perform.
Directory Management provides the following views:
l Active Directory Lists Active Directory domains managed by Active Roles,
allowing you to navigate through containers in those domains. You can view, filter
and select objects held in the container, and apply commands to the selected
object or container.
l Managed Units Lists Managed Units defined in Active Roles, allowing you to view
objects, and navigate through containers, held in Managed Units. You can filter and
select objects, and apply commands to the selected object or container.

For information on how to administer Active Directory objects, see Managing Active
Directory objects later in this document.

Search
Search provides a flexible, query-based mechanism that helps locate directory objects
quickly and without browsing through the directory tree. You can select containers in the
directory, and build a query by specifying search criteria. The Web Interface searches in the
selected containers and all of their subcontainers, and lists the objects that match your
search criteria. When the objects you target are returned as the results of a search query,
you can then perform the necessary administrative tasks.
You can also save the queries that you build and use them again at a later time. The Web
Interface saves queries as your personal views, with each view consisting of the containers
and search criteria that you select, as well as the customized sorting and column
information that you specify.
For instructions on how to perform a search, see Searching for directory objects later in
this document.

Approval
Approval provides you with the tools for performing tasks related to approval workflow.
You can use these tools to complete approval tasks assigned to you as an Approver, and to

Active Roles 7.5.3 Web Interface Administration Guide

20
Web Interface Basics
monitor the status of the operations that you initiated, if those require approval.
For details on how to perform approval tasks, see Using Approval Workflow later in
this document.

Settings
By using Settings, you can specify:
l The language of the Web Interface pages.
l The maximum number of objects displayed in single-page lists.
l The maximum number of list items displayed on a single page in multi-page lists.
l The maximum number of links to pages displayed for multi-page lists.
l Maximum time in minutes, for which the notification is to be visible.
l Maximum number of notifications to be stored in Active Roles.

You can also enable Show objects owned by inheritance or secondary ownership.
Selecting this check box allows Self-Administration Web Interface users to view objects in
My Managed Resources even if the user is not assigned to the objects as the primary
owner (manager), but as a secondary or inherited owner.
Settings are saved on a per-user basis in the configuration of the Web Interface site. For
more information, see Changing personal settings.

Customization
Customization allows you to tailor the Web Interface to suit the specific needs of your
organization. The Customization item is only displayed if you are logged on as Active
Roles Admin. The Active Roles Admin account is specified upon configuration of the Active
Roles Administration Service.
Customization includes the following tasks:
l Directory Objects Modify menus, commands, and forms for administering
directory objects. View or change global settings, such as the logo image and
color scheme.
l Restore Default Restore the original (default) menus, commands, and forms,
discarding all previous customizations.
l Reload Put into effect the menus, commands, and forms that you have customized.

The customization settings determine the configuration of the Web Interface site for
all users.
For more information and instructions on how to customize the Web Interface, see
“Customizing the Web Interface” in the Active Roles Web Interface Administration Guide.

Active Roles 7.5.3 Web Interface Administration Guide

21
Web Interface Basics
User interface overview
The section describes the user interface elements that are common across the Web
Interface.

Navigation bar
Located on the left side of the page, the Navigation bar provides the first level of navigation
for most of the tasks you can perform in the Web Interface. The Navigation bar is organized
by Web Interface areas, and includes the following items:
l Home Go to the Web Interface home page.
l Directory Management Browse for, and administer, directory objects in your
organization.
l Search Search for, and administer, directory objects in your organization.
l Customization Customize Web Interface pages. Available to Active Roles
Admin only.
l Approval Perform the tasks relating to approval of administrative operations.
l Settings View or change your personal settings that control the display of the
Web Interface.
l Help Find Help topics and other helpful resources for the Web Interface.

Active Roles 7.5.3 Web Interface Administration Guide

22
Web Interface Basics
For more information about functions of the Navigation Bar, see Administrative tasks
overview earlier in this document.

Browse pane
Located next to the Navigation bar, the Browse pane lists the built-in views and personal
views, and allows you to access the tree view:
l Built-in views provide entry points to browsing for objects in the directory. Personal
views are filter or search queries you build and save to use them again at a later
time. To see built-in views and personal views, click the Views tab at the top of the
Browse Pane.
l The tree view helps you browse for directory objects by using the directory tree to
navigate through the hierarchical structure of containers. To see the tree view, click
the Tree tab at the top of the Browse Pane.

List of objects
When you select a container or view in the Browse pane, you’ll see a list of objects. If you
select a container, the list includes the objects held in that container. If you select a view,
the list includes the objects that match the view settings. It is also possible to customize
the list by sorting and filtering, and by adding or removing list columns.
You can select objects from the list and apply commands to the selected object or objects.
When you click the name of a container object, such as a domain or an organizational unit,
the list changes to display the objects held in that container, thereby enabling you to
browse through containers in the directory.

Toolbar
The Toolbar contains a number of controls allowing you to manage the current list
of objects:
l Click the Menu button on the left side of the Toolbar to save the current list as a
personal view, add or remove list columns, or export the list to a text file.
l Type in the Filter field and then click the button next to that field to have the list
include only those objects whose naming properties match what you typed.
l Click the Expand/Collapse button on the right side of the Toolbar to configure filtering
criteria based on object properties. To have the list include only the objects that
match your filtering criteria, click the button next to the Filter field.

Active Roles 7.5.3 Web Interface Administration Guide

23
Web Interface Basics
Current container
The area above the Toolbar displays the name of the current container—the container that
holds the objects shown in the list, and identifies the hierarchical path to the current
container in the directory. Click the name of a container in the path to view a list of objects
held in that container.

Command pane
Located to the right of the list of objects, the Command pane provides commands you
can apply to objects you select from the list as well as commands you can apply to the
current container:
l If no objects are selected in the list, the menu includes only the commands that apply
to the current container. These commands are grouped under a heading that shows
the name of the current container.
l If a single object is selected in the list, the commands that apply to the selected
object are added in the top of the menu, under a heading that shows the name of the
selected object.
l If multiple objects are selected from the list, the commands that apply to all of the
selected objects are added in the top of the menu, under a heading that shows the
number of the selected objects.

Summary pane
When you select an object from the list, information about that object is displayed in the
Summary pane under the list of objects. The information includes some commonly used
properties of the object, and depends upon the object type. For example, user properties
provide more detailed information about a user account, such as the logon name, e-mail
address, description, job title, department, expiration date, and the date and time that the
account was last changed. If you don’t see the Summary pane, click in the area beneath
the list of objects.

Object property pages

Property pages are used in the Web Interface to modify directory objects. The following
figure gives an example of the property page that appears when you select a user account
from the list of objects and click General Properties in the Command pane.

Active Roles 7.5.3 Web Interface Administration Guide

24
Web Interface Basics
Figure 1: Object Property page

The property page consists of several tabs. Each tab provides a number of data entries
allowing you to view or change certain properties of the directory object. Click a tab to
access the data entries on that tab. To apply the changes you have made in the data
entries, click the Save button.
Active Roles Admin can use the Customize link in the upper right corner of the page to add
or remove data entries or entire tabs from the property page. The Customize link is not
displayed unless you are logged on as a member of the Active Roles Admin account, which
specified in the configuration settings of the Active Roles Administration Service.

Notification and Feedback

On the upper right corner, you can view the Feedback option, Active Roles drop-down
menu, and a Notification icon.
l Feedback option: Allows you to provide product feedback.
l Active Roles drop-down menu: Allows you to know more about the new features in
the current version, access online-help, and configure settings.
l Notification icon: Allows you to view the notifications.

Active Roles 7.5.3 Web Interface Administration Guide

25
Web Interface Basics
Managing the list of objects
The list of objects in the Web Interface has a number of features that help you locate the
objects you target. Thus, you can sort objects in a list and apply a filter to a list. You can
also add or remove list columns.

Sorting and filtering the list of objects

The Web Interface allows you to set a sort order and apply a filter in the list of objects.

To sort the list of objects by name

l Click the Name column heading once or twice to sort the list by object name
in ascending or descending order. An arrow in the column heading indicates
the sort order.

You can also sort the list by other columns. Click a column heading to change the sort
order. For instructions on how to add or remove columns, see Adding or removing columns
from the list of objects later in this document.

To filter the list of objects

l To filter the list by naming properties, type in the Filter field on the Toolbar and then
press Enter or click the button next to the Filter field. As a result, the list includes only
the objects whose naming properties match what you typed. The naming properties
include name, first name, last name, display name, and logon name.
l To filter the list by other properties, click the button on the right side of the Toolbar to
expand the Toolbar, click Add criteria, choose the properties by which you want to
filter, click Add, and then configure the criteria as appropriate. When finished, press
Enter or click the button next to the Filter field on the Toolbar. As a result, the list
includes only the objects that match the criteria you configured.

After you have applied a filter, the list includes only the objects that match the filter. For
example, you can type a few characters in the Filter field on the Toolbar and then press
Enter to view only the objects whose name starts with the characters you typed.

To remove the filter and restore the original list of objects

l If you did not add criteria, clear the Filter field on the Toolbar and then press Enter;
otherwise, expand the Toolbar, click Clear all, and then press Enter.

Active Roles 7.5.3 Web Interface Administration Guide

26
Web Interface Basics
Adding or removing columns from the list
of objects
You can customize the list of objects by adding or removing list columns. Each column
is intended to display a certain property of objects in the list, and can be used to set
a sort order.

To add or remove list columns

1. Click the Menu button on the left side of the Toolbar, and then click Choose
columns.
2. To add a column for a certain property, click the name of the property in the Hidden
columns list and then click the right arrow button to move the property to the
Displayed columns list.
3. To remove a column for a certain property, click the name of the property in the
Displayed columns list and then click the left arrow button to move the property to
the Hidden columns list.

You can reorder list columns by moving list items up and down in the Displayed columns
list: Click the name of the property in the list and then click the up arrow button or the
down arrow button next to the list.

Locating directory objects

The Web Interface provides search and filtering tools to help you locate directory objects
quickly and easily. By creating and applying an appropriate search or filter query, you can
build shorter lists of objects, which makes it easier to select the objects needed to
accomplish your administrative tasks.
You can also save search and filter queries as your personal views, and use them again at a
later time. Each view saves the following settings that you specify: the container to search
or filter; the search or filtering criteria; the set of columns and the sort order in the list of
search or filtering results.

Searching for directory objects

To search for directory objects, you can use the Search page that allows you to select the
container to search and specify criteria for the objects you want to find. The Web Interface
searches in the container you select and in all of its subcontainers.
The Web Interface opens the Search page when you do any of the following:

Active Roles 7.5.3 Web Interface Administration Guide

27
Web Interface Basics
 l Type in the Search field located in the upper right corner of the Web Interface
window, and then press Enter or click the magnifying glass icon in the Search field. In
this case, the Web Interface searches all managed Active Directory domains for
objects whose naming properties match what you typed and the Search page lists
the search results. The naming properties include name, first name, last name,
display name, and logon name.
l Click Search on the Navigation bar. The Search page opens, allowing you to
configure and start a search.

To configure and start a search

1. Click the Search in box on the Toolbar, and then select the container that you want
to search. You can select more than one container.
The Web Interface will search in the selected container and all of its subcontainers.
2. Specify criteria for the objects that you want to find:
l To search by naming properties, type in the Search field on the Toolbar. The
Web Interface will search for objects whose naming properties match what you
typed. The naming properties include name, first name, last name, display
name, and logon name.
l To search by other properties, click the button on the right side of the Toolbar
to expand the Toolbar, click Add criteria, choose the properties by which you
want to search, click Add, and then configure the criteria as appropriate. The
Web Interface will search for objects that match the criteria that you
configured.
3. Press Enter to start the search.

The search results are listed on the Search page. You can customize the list by adding or
removing list columns and sorting the list by column data. To add or remove list columns,
click the Menu button on the left side of the Toolbar and then click Choose columns (see
also Adding or removing columns from the list of objects earlier in this document). To sort
the list by column data, click column headings.

Example: Searching by object type

The following steps demonstrate how you can use the search function to list all groups that
exist in the Active Directory domains managed by Active Roles:

1. Click Search on the Navigation bar.

2. Click the button on the right side of the Toolbar to expand the Toolbar, click Add
criteria, select the check box next to Object type is
User/InetOrgPerson/Computer/Group/Organizational Unit, and then click
the Add button.
3. On the Toolbar, click Group in the list next to The object type is, and then
press Enter.

Active Roles 7.5.3 Web Interface Administration Guide

28
Web Interface Basics
Filtering the contents of a container
If a container, such as an organizational unit in your Active Directory, holds large number
of objects, you can narrow down the displayed list of objects by filtering the objects held in
that specific container.

To filter the objects held in a container

1. Navigate to the container in the Web Interface.

To navigate to a container, you can search for the container object (see Searching for
directory objects) and then click its name in the list of search results on the Search
page. Alternatively, you can browse for the container objects by using the Browse
pane and the List of objects.

IMPORTANT: The scope of filtering is always set to the current container, and
does not include any subcontainers of that container. Filtering is essentially a
search for objects held in a given container only. If you want to search the
current container and all of its subcontainers, click Search under this
container in the Command pane, and then configure and perform a search as
described in Searching for directory objects earlier in this document.

2. Specify how you want to filter the objects held in the container:
l To filter objects by naming properties, type in the Filter field on the Toolbar and
then press Enter or click the button next to the Filter field. The list of objects
will include only the objects whose naming properties match what you typed.
The naming properties include name, first name, last name, display name, and
logon name.
l To filter objects by other properties, click the button on the right side of the
Toolbar to expand the Toolbar, click Add criteria, choose the properties by
which you want to filter, click Add, and then configure the criteria as
appropriate. The list of objects will include only the objects that match the
criteria you configured.
3. To apply the filter, press Enter or click the button next to the Filter field on
the Toolbar.

When a filter is applied to a container, the Web Interface lists a subset of all objects held in
that container. You can remove the filter to view all objects: If you did not add criteria,
clear the Filter field on the Toolbar and then press Enter; otherwise, expand the Toolbar,
click Clear all, and then press Enter.

Example: Filtering by object type

The following steps demonstrate how you can configure a filter that lists only user accounts
held in a particular organizational unit, removing objects of any other type from the list:

Active Roles 7.5.3 Web Interface Administration Guide

29
Web Interface Basics
 1. Navigate to the organizational unit in the Web Interface.
2. Click the button on the right side of the Toolbar to expand the Toolbar, click Add
criteria, select the check box next to Object type is
User/InetOrgPerson/Computer/Group/Organizational Unit, and then click
the Add button.
3. On the Toolbar, confirm that the field next to The object type is reads User and
then click the button next to the Filter field, or press Enter.

Using personal views

In the Web Interface, you can use search or filter queries to locate directory objects. To
create a query, you specify a set of rules that determine the contents of the resulting list of
objects. You can, for instance, specify that only user accounts held in a particular
organizational unit should be listed. In addition, you can adjust the set of columns and the
sort order in the list of search or filtering results.
The ability to locate the objects you target is crucial as you need to focus your attention on
only those objects that apply to the task you are performing. However, creating a search or
filter query that displays the objects you are interested in for a particular task can be time-
consuming. Personal views provide a way for you to save that work. Once you have created
a query that displays just the objects you need, you can provide the query with a name and
save it to use later. That saved query is a personal view. Each view saves the following
settings that you specify: the container to search or filter; the search or filtering criteria;
the set of columns and the sort order in the list of search or filtering results.

Creating a personal view

Personal views are like search or filter queries that you have named and saved. After
creating a personal view, you will be able to reuse it without re-creating its underlying
search or filter query. To reuse a personal view, click the name of that view on the Views
tab in the Browse pane. The Web Interface applies the search or filter query saved in the
view, and displays the results in the list with the same set of columns and sort order as
when you created the view.

To create a personal view

1. Do one of the following:

l Configure and perform a search. For instructions, see Searching for
directory objects.
l Create a filtered list of objects. For instructions, see Filtering the contents of
a container.
2. Click the Menu button on the left side of the Toolbar, and then click Save
current view.

Active Roles 7.5.3 Web Interface Administration Guide

30
Web Interface Basics
 3. In the dialog box that appears, type a name for the personal view, and then
click Save.

Changing a personal view

The personal views that you created are listed on the Views tab in the Browse pane. When
you select a view in the Browse pane, Web Interface applies the search or filter query saved
in the view, and displays the results in the list with the same set of columns and sort order
as when you created the view. At this point, you can make changes to the search or filter
criteria, set of columns and sort order, and then save the changed settings to the selected
personal view or create a new personal view based on the changed settings.

To save the changed settings to the selected personal view

1. Select a personal view in the Browse pane.

2. Make changes to the search or filter criteria, list columns or sort order.
3. Click the Menu button on the left side of the Toolbar, and then click Save
current view.
4. In the dialog box that appears, don’t change the name of the view. Click Save.

To create a new personal view based on the changed settings

1. Select a personal view in the Browse pane.

2. Make changes to the search or filter criteria, list columns or sort order.
3. Click the Menu button on the left side of the Toolbar, and then click Save
current view.
4. In the dialog box that appears, type a name for the new personal view and
then click Save.

You can also rename or delete personal views.

To rename a personal view

l On the Views tab in the Browse pane, click the Edit button next to the name of the
view, type a new name, and then press Enter or click the Edit button once more.

To delete a personal view

l On the Views tab in the Browse pane, click the Delete button next to the name
of the view.

Active Roles 7.5.3 Web Interface Administration Guide

31
Web Interface Basics
 Performing Management Tasks

l Managing your personal account

l Managing Active Directory objects
l Running an automation workflow
l Managing temporal group memberships
l Managing AD LDS data
l Managing computer resources
l Restoring deleted objects

Managing your personal account

The User Profile Editor section in the Web Interface site for self-administration gives you
a convenient way to display and update your own identity information, such as your
telephone numbers or mail address in your user account. The contents of the pages in the
User Profile Editor section can be customized by the Active Roles administrator, who can
add new elements to the pages, modify or remove existing elements, and regroup related
elements on different tabbed pages.

To view or modify your user account

1. In your Web browser, go to the address (URL) of the Web Interface site for self-
administration.
By default, the address is http://<server>/ARWebSelfService where <server>
stands for the name of the server running the Web Interface.

2. On the Web Interface Home page, click User Profile Editor.

3. Use the page provided by the Web Interface to view or modify your user account.
4. Click the Save button to apply your changes.

It’s up to the Active Roles administrator to determine what information you are authorized
to view or modify on the User Profile Editor page. Some fields on the page might not be
editable. The fields that you are not permitted to modify appear on the page as read-only
text. The properties that you are not permitted to view are not displayed on the User
Profile Editor page.

Active Roles 7.5.3 Web Interface Administration Guide

32
Performing Management Tasks
Managing Active Directory objects
The Directory Management section of the Web Interface allows you to browse for, and
administer, directory objects in your organization. You can navigate through containers in
the directory; view, filter and select objects held in the container; and apply commands to
the selected object or container.
Whether you can perform a certain management task depends upon permissions granted
to your user account, and the Web Interface customization settings.
A general procedure for performing a Directory Management task is as follows.

To perform a management task

1. On the Navigation bar, click Directory Management.

2. On the Views tab in the Browse pane, click one of the following:
l To manage objects in Active Directory containers, such as domains or
organizational units, click Active Directory. This displays a list of Active
Directory domains.
l To manage directory objects in a certain Managed Unit, click Managed Units.
This displays a list of Managed Units.
3. In the list of objects, do one of the following:
l To navigate to a container, such as an organizational unit, click the name of
that container.
l To perform a command that applies to the current container, click that
command in the Command pane under the name of the current container.
l To perform a command on a particular object held in the current container,
select the check box next to the name of that object, and then click the
command in the top area of the Command pane, under the name of the object.
l To perform a command on two or more objects at a time, select the check box
next to the name of each object, and then click the command in the top area of
the Command pane.
NOTE: In the list of objects, clicking the name of a leaf object such as a user or
group, displays a page where you can view or modify object properties; clicking a
container object such as a domain or an organizational unit, displays a list of
objects held in that container.

When you perform a management tasks, the Web Interface supplements and restricts your
input based on policies and permissions defined in Active Roles. The Web Interface displays
the data generated by policies, and prevents the input of data that would cause policy
violations. The following rules apply:
l If a policy requires that a value be specified for a particular property, the name of the
field for that property is marked with an asterisk (*).

Active Roles 7.5.3 Web Interface Administration Guide

33
Performing Management Tasks
 l If a policy imposes any restrictions on a property, an information icon is displayed
next to the name of the field for that property. Click the icon to view policy
information, which you can use to enter an acceptable value.
l When you specify a property value that violates a policy, and click Save, the
Web Interface displays an error message. Review the error message and
correct your input.
l Pages for object creation must include the entries for all required properties.
Otherwise, the Web Interface fails to create the object. For information on how to
configure forms, see “Configuring forms” in the Active Roles Web Interface
Administration Guide.
l Object property pages display the values of the properties for which you have the
Read permission. You can modify only those properties for which you have the Write
permission. The properties for which you only have the Read permission are
displayed as read-only.
l The Command pane includes only the commands that you are permitted to use.
l The list of objects includes only the objects that you are permitted to view.

Batch operations
In the Web Interface, you can select multiple objects (such as users, groups and
computers), and then apply a certain command to your selection of objects. This allows you
to perform a batch operation on all the selected objects at a time instead of executing the
command on each object separately. The Web Interface supports the following batch
operations:
l Delete Allows you to delete multiple objects at a time.
l Deprovision Allows you to deprovision multiple users or groups at a time.
l Move Allows you to move a batch of objects to a different organizational unit
or container.
l Add to groups Allows you to add a batch of objects to one or more groups of
your choice.
l Update object attributes Allows you to perform bulk attributes operations on
multiple users at a time.
l Reset Password Allows you to reset the password for multiple users at a time.

Batch operations are available in the list of objects on the following Web Interface pages:
l Search This page lists the search results when you perform a search.
l View Contents This page displays the objects held in a given organizational unit,
Managed Unit, or container.

To perform a batch operation, select the check box next to the name of each of the desired
objects in the list, and then click a command in the top area of the Command pane. This
executes the command on each object within your selection.

Active Roles 7.5.3 Web Interface Administration Guide

34
Performing Management Tasks
 NOTE: Active Roles administrators can customize Web Interface by adding and removing
commands, and modifying pages associated with commands. For more information, see
“Customizing the Web Interface” in the Active Roles Web Interface Administration Guide.

Example 1: Enabling a user account

This topic demonstrates how to enable a disabled user account by using the Web Interface.

To enable a disabled user account

1. Locate the user account you want to enable. For instructions on how to locate objects
in the Web Interface, see Locating directory objects earlier in this document.
2. In the list of objects, select the user account you want to enable.
3. In the Command pane, click Enable Account.

NOTE: If the user account is not disabled, the Command pane includes the Disable
Account command instead of the Enable Account command.

Example 2: Adding a user to a group

This demonstrates how to add a user account to a group by using the Web Interface.

To add a user account to a group

1. In the Web Interface locate and select the user account. For instructions on how
to locate objects in the Web Interface, see Locating directory objects earlier in
this document.
2. In the Command pane, click Member Of.
3. On the Member Of page that appears, click Add.
4. On the Select Object page that appears, perform a search to locate the group. For
instructions on how to configure and start a search, see Searching for directory
objects earlier in this document.
5. In the list of search results on the Select Object page, select the group to which you
want to add the selected user account, and then click Add.

Running an automation workflow

Workflow refers to a sequence of actions that leads to the completion of a certain task.
Active Roles allows administrators to configure various workflows that can be started on a
scheduled basis or on user demand. This workflow type is called automation workflow. For
more information, see “Automation workflow” in the Active Roles Administration Guide.

Active Roles 7.5.3 Web Interface Administration Guide

35
Performing Management Tasks
If an automation workflow is configured so that running it on demand is allowed, then such
a workflow can be run from the Web Interface.

To run an automation workflow from the Web Interface

1. On the Navigation bar, click Directory Management.

2. On the Tree tab in the Browse pane, expand the Workflow branch and click the
container that holds the desired workflow.
3. In the list of objects, select the desired workflow.
4. In the Command pane, click Run.
5. If prompted, review or change the values of the workflow parameters.
6. Click OK in the confirmation message box.

The Web Interface prompts you for parameter values if the workflow has any parameters
that need to be supplied by the user running the workflow on demand. If the workflow has
no parameters that require user input, then the Web Interface starts the workflow without
prompting you for parameter values.
Once you have started an automation workflow, the Web Interface opens a run history
report allowing you to examine the progress of workflow execution. The report displays the
workflow execution status along with information about the activities performed during
workflow run. For a workflow that is in progress you have the option to cancel execution of
the workflow by clicking the Terminate button.
After the workflow is completed, the report retains history information about the workflow
run. For each completed run of the workflow, the report allows you to identify when and by
whom the workflow was started, when the workflow was completed, and what parameter
values were used.
The report also lists the workflow activities that were executed during the workflow run. For
each activity, you can determine whether the activity was completed successfully or
returned an error. In case of error, the report provides an error description. For activities
requesting changes to directory data (for example, activities that create new objects or
modify existing objects), you can examine the requested changes in detail by clicking the
Operation ID number in the run history report.

To view run history of an automation workflow in the Web Interface

1. On the Navigation bar, click Directory Management.

2. On the Tree tab in the Browse pane, expand the Workflow branch and click the
container that holds the desired workflow.
3. In the list of objects, select the desired workflow.

In the Command pane, click Run History.

Active Roles 7.5.3 Web Interface Administration Guide

36
Performing Management Tasks
Managing temporal group memberships
By using temporal group memberships, you can manage group memberships of objects
such as user or computer accounts that need to be members of particular groups for only a
certain time period. This feature gives you flexibility in deciding and tracking what objects
need group memberships and for how long.
This section guides you through the tasks of managing temporal group memberships in the
Web Interface. If you are authorized to view and modify group membership lists, then you
can add, view and remove temporal group members as well as view and modify temporal
membership settings on group members.

Adding temporal members

A temporal member of a group is an object, such as a user, computer or group, scheduled
to be added or removed from the group. You can add and configure temporal members
using the Web Interface.

To add temporal members of a group

1. In the Web Interface, select the group, and then choose the Members command.
2. On the Members page, click Add.
3. In the Select Object dialog box find and select the objects that you want to make
temporal members of the group, and then click Temporary Access.
4. In the Temporal Membership Settings dialog box, choose the appropriate
options, and then click OK:
l To have the temporal members added to the group on a certain date in the
future, select On this date under Add to the group, and choose the date and
time you want.
l To have the temporal members added to the group at once, select Now under
Add to the group.
l To have the temporal members removed from the group on a certain date,
select On this date under Remove from the group, and choose the date
and time you want.
l To retain the temporal members in the group for indefinite time, select Never
under Remove from the group.
NOTE: You can make an object a temporal member of particular groups by
managing the object rather than the groups. Select the object, and then choose the
Member Of command. On the Member Of page, click Add. In the Select Object
dialog box, find and select the groups, and specify the temporal membership
settings as appropriate for your situation.

Active Roles 7.5.3 Web Interface Administration Guide

37
Performing Management Tasks
Viewing temporal members
In the list of group members displayed by the Web Interface, you can distinguish between
regular and temporal group members. It is also possible to hide or display so-called
pending members, the temporal members that are scheduled to be added to the group in
the future but are not actual members of the group so far.

To view temporal members of a group

1. In the Web Interface, select the group, and then choose the Members command.
2. Review the list on the Members page:
l An icon of a small clock overlays the icon for the temporal members.
l If the Show pending members check box is selected, the list also includes
the temporal members that are not yet added to the group.

The list of group memberships for a particular object makes it possible to distinguish
between the groups in which the object is a regular member and the groups in which the
object is a temporal member. It is also possible to hide or display so-called pending group
memberships, the groups to which the object is scheduled to be added in the future.

To view groups in which an object is a temporal member

1. In the Web Interface, select the object, and then choose the Member Of command.
2. Review the list on the Member Of page:
l An icon of a small clock overlays the icon for the groups in which the object is a
temporal member.
l If the Show pending group memberships check box is selected, the
list also includes the groups to which the object is scheduled to be added
in the future.

Rescheduling temporal group memberships

The temporal membership settings on a group member include the start time and end
time settings.
The start time setting specifies when the object is to be actually added to the group. This
can be specific date and time or an indication that the object should be added to the group
right away.
The end time setting specifies when the object is to be removed from the group. This
can be specific date and time or an indication that the object should not be removed
from the group.
You can view or modify both the start time and end time settings using the Web Interface.

Active Roles 7.5.3 Web Interface Administration Guide

38
Performing Management Tasks
To view or modify the start or end time setting for a member of a group

1. In the Web Interface, select the group, and then choose the Members command.
2. In the list on the Members page, select the member and then click the Temporary
Access button.
3. Use the Temporal Membership Settings dialog box to view or modify the start or
end time settings.

The Temporal Membership Settings dialog box provides the following options:
l Add to the group | Now Indicates that the object should be added to the
group at once.
l Add to the group | On this date Indicates the date and time when the object
should be added to the group.
l Remove from the group | Never Indicates that the object should not be removed
from the group.
l Remove from the group | On this date Indicates the date and time when the
object should be removed from the group.

Regular members have the Add to group and Remove from group options set to
Already added and Never, respectively. You can set a particular date for any of these
options in order to convert a regular member to a temporal member.
NOTE:
l You can view or modify the start time and end time settings by managing an object
rather than the groups in which that object has memberships. select the object,
and then choose the Member Of command. On the Member Of page, select the
group for which you want to manage the object’s start or end time setting and click
Temporary Access.
l On the Members or Member Of page, you can change the start or end time
setting for multiple members or groups at a time. On the page, select multiple list
items, click Temporary Access, and then, in the Temporal Membership
Settings dialog box, make the changes you want.

Removing temporal members

You can remove temporal group members in the same way as regular group members.
Removing a temporal member of a group deletes the temporal membership settings for
that object with respect to that group. As a result, the object will not be added to the
group. If the object already belongs to the group at the time of removal, then it is
removed from the group.

To remove a temporal member of a group

1. In the Web Interface, select the group, and then choose the Members command.
2. On the Members page, select the member, and click Remove.

Active Roles 7.5.3 Web Interface Administration Guide

39
Performing Management Tasks
 NOTE: You can remove an object that is a temporal member of a group by managing the
object rather than the group. Select the object, and then choose the Member Of
command. On the Member Of page, select the group from the list and click Remove.

Managing AD LDS data

You can use the Web Interface to manage directory data in Microsoft Active Directory
Lightweight Directory Services (AD LDS). Similarly to Active Directory domains, directory
data can be managed in only the AD LDS instances that are registered with Active Roles
(managed AD LDS instances).
The application directory partitions found on the managed AD LDS instances are grouped
together in the AD LDS (ADAM) container, thus making it easy to locate the AD LDS data.
Each directory partition is represented by a separate container (node) so you can browse
the partition tree the same way you do for an Active Directory domain.
The Web Interface supports a wide range of administrative operations on AD LDS users,
groups and other objects, so you can create, view, modify, and delete directory objects,
such as users, groups, containers and organizational units, in AD LDS the same way you do
when managing data in Active Directory.

To browse the directory tree in AD LDS directory partitions

1. On the Navigation bar, click Directory Management.

2. In the Browse pane, click the Tee tab.
3. On the Tree tab, do the following:
a. Expand the AD LDS (ADAM) container.
b. Under AD LDS (ADAM), expand a directory partition object to view its top-
level containers.
c. Expand a top-level container to view the next level of objects in that container.
4. Do one of the following:
l To move down a directory tree branch, continue expanding the next lowest
container level on the Tree tab.
l To administer a directory object at the current directory level, click a container
on the Tree tab and use the instructions that follow.

To manage directory data in AD LDS

On the Tree tab in the Browse pane, under AD LDS (ADAM), click the container that holds
the data you want to manage.

1. In the list of objects, select the object that represents the directory data you
want to manage.
2. Use commands in the Command pane to perform management tasks.

Active Roles 7.5.3 Web Interface Administration Guide

40
Performing Management Tasks
 NOTE: In the list of objects, clicking the name of a leaf object, such as a user or group,
displays a page intended to view or modify object properties; clicking a container
object, such as a partition or an organizational unit, displays a list of objects held in
that container.

Managing computer resources

You can use the Web Interface to manage the following computer resources:
l Services Start or stop a service, view or modify properties of a service.
l Network file shares Create a file share, view or modify properties of a file share,
stop sharing a folder.
l Logical printers Pause, resume or cancel printing, list documents being printed,
view or modify properties of a printer.
l Documents being printed (print jobs) Pause, resume, cancel or restart printing
of a document, view or modify properties of a document being printed.
l Local groups Create or delete a group, add or remove members from a group,
rename a group, view or modify properties of a group. Unavailable on domain
controllers.
l Local users Create or delete a local user account, set a password for a local user
account, rename a local user account, view or modify properties of a local user
account. Unavailable on domain controllers.
l Devices View or modify properties of a logical device, start or stop a logical device.

To manage computer resources

1. In the Web Interface, locate the computer that hosts resources you want to manage.
For instructions on how to locate objects in the Web Interface, see Locating directory
objects earlier in this document.
2. Select the computer in the list of objects, and then click Manage in the
Command pane.
3. In the list of resource types, click the type of resource you want to manage.
4. In the list of objects that appears, select the resource you want to manage.
5. Use commands in the Command pane to perform management tasks on the
selected resource.

To manage print jobs

1. Repeat Steps 1–2 of the previous procedure, to start managing computer resources.
2. In the list of resource types, click Printers to view a list of printers found on the
computer you selected.
3. In the list of printers, select a printer whose print jobs you want to manage.
4. In the Command pane, click Print Jobs to view a list of documents being printed.

Active Roles 7.5.3 Web Interface Administration Guide

41
Performing Management Tasks
 5. In the list of documents, select a document to pause, resume, restart, or
cancel printing.
6. Use commands in the Command pane to perform management tasks on the
selected document.

Restoring deleted objects

The Web Interface can be used to restore deleted objects in any managed domain that is
configured to enable Active Directory Recycle Bin—a feature of Active Directory Domain
Services introduced in Microsoft Windows Server 2008 R2.
To undo deletions, Active Roles relies on the ability of Active Directory Recycle Bin to
preserve all attributes, including the link-valued attributes, of the deleted objects. This
makes it possible to restore deleted objects to the same state they were in immediately
before deletion. For example, restored user accounts regain all group memberships that
they had at the time of deletion.
This section provides instructions on how to restore deleted objects by using the Web
Interface. For more information, see the “Recycle Bin” chapter in the Active Roles
Administration Guide.

Locating deleted objects

If Active Directory Recycle Bin is enabled in a managed domain, the Web Interface provides
access to the Deleted Objects container that holds the deleted objects from that domain.
On the Tree tab in the Browse pane, the Deleted Objects container appears at the same
level as the domain object, under the Active Directory node. If multiple managed
domains have Active Directory Recycle Bin enabled, then a separate container is displayed
for each domain. To tell one container from another, the name of the container includes the
domain name (for example, MyDomain.MyCompany.com - Deleted Objects).
When you select the Deleted Objects container, the Web Interface lists all the deleted
objects that exist in the corresponding domain. The list can be sorted or filtered as
appropriate to locate particular objects (see Managing the list of objects earlier in this
document). If you click an object in the list, a menu appears that displays all actions you
can perform on that object.

Searching the Deleted Objects container

To locate deleted objects, you can perform a search in the Deleted Objects container:

1. On the Tree tab in the Browse pane, click the Deleted Objects container.
2. In the Command pane, click Search under this container.

Active Roles 7.5.3 Web Interface Administration Guide

42
Performing Management Tasks
 3. Specify criteria for the deleted objects that you want to find:
l To search by naming properties, type in the Search field on the Toolbar. The
Web Interface will search for objects whose naming properties match what you
typed. The naming properties include name, first name, last name, display
name, and logon name.
l To search by other properties, click the button on the right side of the Toolbar
to expand the Toolbar, click Add criteria, choose the properties by which you
want to search, click Add, and then configure the criteria as appropriate. The
Web Interface will search for objects that match the criteria that you
configured.
4. Press Enter to start the search.

Locating objects deleted from a certain OU or MU

To view a list of objects that were deleted from a particular Organizational Unit (OU) or
Managed Unit (MU), you can use the View or Restore Deleted Objects command. The
command opens a page that lists the deleted objects that were direct children of the
corresponding OU or MU at the time of deletion.

To view a list of objects that were deleted from a particular OU or MU

1. Select the OU or MU that held deleted objects you want to view.

2. In the Command pane, click View or Restore Deleted Objects.

The Web Interface lists the objects that were deleted from the OU or MU you selected. The
list can be sorted or filtered as appropriate to locate particular objects (see Managing the
list of objects earlier in this document).
NOTE: The View or Restore Deleted Objects command is also available on domain
and container objects.

Restoring a deleted object

You can restore deleted objects by using the Restore command that is available in the
Command pane when you select a deleted object in the Web Interface.

To restore a deleted object

1. In a list of deleted objects, select the object you want to undelete. For instructions on
how to build a list deleted objects, see Locating deleted objects.
2. In the Command pane, click Restore.
3. Review and, if necessary, change the settings in the Restore Object dialog box, and
then click OK to start the restore process.

The Restore Object dialog box prompts you to choose whether the deleted child objects
(descendants) of the deleted object should also be restored. The Restore child objects

Active Roles 7.5.3 Web Interface Administration Guide

43
Performing Management Tasks
check box is selected by default, which ensures that the Restore command applied on a
deleted container restores the entire contents of the container.
NOTE: When restoring a deleted object, ensure that its parent object is not deleted. You
can identify the parent object by viewing properties of the deleted object: the canonical
name of the parent object, preceded with the “Deleted from:” label, is displayed beneath
the name of the deleted object on the property page for that object. If the parent object
is deleted, you need to restore it prior to restoring its children because deleted objects
must be restored to a live parent.

Active Roles 7.5.3 Web Interface Administration Guide

44
Performing Management Tasks
 Using Approval Workflow

l Understanding approval workflow

l Locating approval items
l Using “My Tasks”
l Using “My Operations”

Understanding approval workflow

The approval workflow system included with Active Roles provides:
l A point-and-click interface to configure approval rules, available from the Active
Roles console. The approval rules are stored and performed by the Active Roles
Administration Service.
l The directory management section of the Web Interface for submitting operation
requests for approval. For example, approval rules could be configured so that
creation of a user account starts an approval workflow instead of immediately
executing the user creation operation. For information on how to use the directory
management section, see Managing Active Directory objects earlier in this document.
l The Approval area of the Web Interface to manage operation requests and
approvals. This area includes a “to-do” list of the approval tasks the designated user
has to carry out, allowing the user to approve or reject operation requests.

The Approval area provides a way to perform change approval actions, allowing you to
control changes to directory data that require your approval and monitor your operations
that require approval by other persons. You can use the Approval area to:
l Perform approval tasks—approve or reject operations so as to allow or deny the
requested changes to directory data. Examples of operations include (but not limited
to) creation and modification of user accounts or groups.
l Check the status of your operations—examine whether the changes to directory data
you requested are approved and applied, or rejected.

When a Web Interface user makes changes to directory data that require permission from
other individuals in an organization, the changes are not applied immediately. Instead, an
operation is initiated and submitted for approval. This starts a workflow that coordinates
the approvals needed to complete the operation. The operation is performed and the
requested changes are applied only after approval. An operation may require approval from
one person or from multiple persons.
When an operation is submitted for approval, Active Roles tracks the initiator and the
approver or approvers. The initiator is the person who requested the changes. Approvers
are those who are authorized to allow or deny the changes. An operation that requires
approval generates one or more approval tasks, with each approval task assigned to the

Active Roles 7.5.3 Web Interface Administration Guide

45
Using Approval Workflow
appropriate approver. Active Roles administrators configure approval workflow by creating
approval rules to specify what changes require approval and who is authorized to approve
or deny change requests.
In the Approval area, you can work with the operations for which you are assigned to the
approver role. As an approver, you are expected to take appropriate actions on your
approval tasks.

To access the Approval area

l On the Web Interface Home page, click in the Approval box.

Locating approval items

The Approval area provides a number of views to help you locate approval items—tasks
and operations:
l My Tasks Contains detailed entries representing the approval tasks assigned to
you. Depending on their status, the approval tasks are distributed into two views.
The Pending view allows you to manage the approval tasks awaiting your response.
The Completed view lists your approval tasks that have been completed.
l My Operations The Recent view lists your recent operations that required
approval, and allows you to examine the status and details pertinent to each
operation.

In addition to using the predefined views, you can locate operations and tasks by using the
search function.

To search for an operation or task by ID

1. In the right pane of the Web Interface page, under the Search label, type the ID
number of the operation or task in the Search by ID box.
2. Click the button next to the Search by ID box to start the search.

You can also search for approval items (operations and tasks) by properties other than
ID. For instance, you can find the operations that were initiated by a specific user.
Another example is the ability to locate approval tasks generated within a specific time
period. To access the advanced search function, click Advanced Search under the
Search label. Then, use the Advanced Search page to configure your search settings
and start a search.
Advanced search is the most comprehensive way to search for approval items such as
operations and tasks. Use it to find approval items based on their properties. You do this by
creating queries, which are sets of one or more rules that must be true for an item to be
found. An example of a query for operations is “Initiator is (exactly) John Smith.” This
specifies that you are searching for operations that have the Initiator property set to John
Smith’s use account.
With advanced search, you can use conditions and values to search for approval items
based on item properties (referred to as “fields” on the search page). Conditions are

Active Roles 7.5.3 Web Interface Administration Guide

46
Using Approval Workflow
limitations you set on the value of a field to make the search more specific. Each type of
item has a set of relevant fields and each type of field has a set of relevant conditions that
advanced search displays automatically.
Some fields, such as “Target object property,” require that you select a property to further
define your search. In this case, you configure a query to search for operations or tasks
specific to the approval of changes to the objects based on a certain property of those
objects. For example, to find the operations that request any changes to the “Description”
property, you could select the “Target object property” field, select the “Description”
property, and then choose the “Modified” condition.
Some conditions require a value. For example, if you select a Date field, the “Is between”
condition requires a date range value so you have to select a start date and an end date to
specify a date range. Another example is the Initiator field, which requires that you select a
user account of the Initiator role holder.
In some cases, a value is not required. For example, if you select the “Modified” condition,
value is not necessary since this condition means that you want your search to be based on
any changes to a certain property, without considering what changes were actually
requested or made to the property value.
The following topics cover the predefined views of the Approval section.

Using “My Tasks”

You can use the My Tasks area to work with the approval tasks assigned to you as an
approver. According to their status, the tasks are distributed into two views: Pending
and Completed.
For information about the Pending view, see Pending tasks.
For information about the Completed view, see Completed tasks.

Pending tasks
The Pending view contains a list of your approval tasks to be completed. Each task in the
list is identified by a header area that provides basic information about the task such as a
unique ID number of the task, who requested the operation that is subject to approval,
when the task was created, the time limit of the task (if any), and the target object of the
operation. In the middle of a task’s header area is a section that contains the title of the
task (Approve operation by default), a label indicating the status of the task, and
summary information about the operation that is subject to approval.
The task’s header area contains the action buttons you can use to apply the appropriate
resolution to the approval task. The action buttons are displayed at the bottom of the
header area. Which buttons are displayed depends upon configuration of the approval rule.
You may encounter the following action buttons there:

Active Roles 7.5.3 Web Interface Administration Guide

47
Using Approval Workflow
 l Approve Click this button to allow the requested operation.
Depending on configuration of the approval and policy rules, the Web Interface may
request you to enter additional information that must be added to the operation
request. For example, when you approve the operation of creating a user account,
you may have to supply certain properties of the user account in addition to those
supplied by the administrator who requested creation of that user account. If
additional information is required, clicking Approve displays a page where you can
supply the required information. You can also access that page by clicking the
Examine task button.
l Reject Click this button to deny the requested operation.
l Escalate Click this button to assign the approval task to an approver of a
higher level.
This button is displayed if the approval rule has one or more approver levels (referred
to as escalation levels) configured in addition to the initial approver level. Escalation
levels are normally used to assign (escalate) the approval task automatically to the
approver of a higher level if the task is not completed in time. The approval rule may
be configured to allow approvers to escalate approval tasks as needed, in which case
the task’s header area contains the Escalate button.
l Delegate Click this button to assign the approval task to a different person. You can
select the user account of the person to whom you want to assign the task.
This button is displayed if the approval rule is configured with the option to allow
approvers to reassign (delegate) their approval tasks to others.
l Custom buttons The approval rule may add custom buttons to the task’s header
area. The action that Active Roles performs when you click a custom button depends
upon configuration of the workflow containing the approval rule. The administrator
who configures the workflow should normally supply an instruction on the use of
custom action buttons. To view the instruction, click the Examine task button. This
opens a page containing the same action buttons that you see in the task’s header
area. The instruction text is displayed above the action buttons on that page.

The task’s header area contains the Examine task button allowing you to get detailed
information about the task, review the object properties submitted for approval, and
supply or change additional properties. Clicking the Examine task button displays a
page containing a replica of the task’s header area, the action buttons, and a number
of information sections. Review the information on the page, supply or change the
object properties for which the task requests your input, and then click the appropriate
action button.
The page that appears when you click the Examine task button includes the following
information sections:
l Object properties
The contents of this section heavily depends upon configuration of the approval rule.
Thus the approval rule may request you to enter additional information that must be
added to the operation request. For example, when you approve the operation of
creating a user account, you may have to supply certain properties of the user
account in addition to those supplied by the administrator who requested creation of

Active Roles 7.5.3 Web Interface Administration Guide

48
Using Approval Workflow
 that user account. In this case, enter the requested properties in the fields under
Supply or change the following properties.
Normally, the approval rule is configured so that the approver is allowed to review
the values of the object properties that were supplied or changed by the operation
that is subject to approval. The approval rule may also be configured to allow the
approver to change those property values. In either case, you can view or change
them in the fields under Review the properties submitted for approval.
l Approvers
This section displays a list of the user accounts or groups to which the approval task
is currently assigned. Any of the listed users or members of the listed groups can act
as an approver on the task in question.
l Approval progress
This section provides information on the date and time that the task was created and
whether the task was escalated to a higher approver level or reassigned (delegated)
to other persons. If the task was escalated, you can view when escalation occurred
and what caused escalation. If the task was reassigned (delegated), you can view
who and when delegated the task and to whom the task was delegated.
l Details
In this section you can view aggregated information about the approval task
properties and configuration, and some details of the operation that the task is
intended to allow or deny. The Operation ID filed provides a link to a page where
you can examine the operation in more detail.

To complete a pending task

1. Click Examine task in the task’s header area.

2. On the Object properties page, review, supply or change the object properties for
which the task requests your input, and then click the appropriate action button.

You can also complete a task by clicking the appropriate action button in the task’s header
area. However, if the current policy and approval rules require the approver to supply some
additional information, the Web Interface would open the Object properties page,
prompting you to configure the required properties.

Completed tasks
The Completed view contains a list of your approval tasks that are completed and do not
require approver action. Each task in the list is identified by a header area that provides
basic information about the task such as a unique ID number of the task, who requested
the operation that is subject to approval, when the task was created, and the target object
of the operation. In the middle of a task’s header area is a section that contains the title of
the task (Approve operation by default), a label indicating the status of the task, and
summary information about the operation that was subject to approval. The header area
also identifies the approver action that was applied to complete the task and the completion
reason, if any, specified by the approver who completed the task.

Active Roles 7.5.3 Web Interface Administration Guide

49
Using Approval Workflow
The task’s header area contains the Examine task button allowing you to get detailed
information about the task and review the object properties that were submitted for
approval or changed by the approver who completed the task. Clicking the Examine task
button displays a page containing a replica of the task’s header area and the following
information sections:
l Object properties
The contents of this section heavily depends upon configuration of the approval rule.
Thus the approval rule may request the approver to enter additional information that
must be added to the operation request. For example, when you approve the
operation of creating a user account, you may have to supply certain properties of
the user account in addition to those supplied by the administrator who requested
creation of that user account. The values of the properties supplied by the approver
are displayed in the fields under Supply or change the following properties.
Normally, the approval rule is configured so that the approver is allowed to review
the values of the object properties that were supplied or changed by the operation
that is subject to approval. The approval rule may also be configured to allow the
approver to change those property values. In either case, you can view them in the
fields under Review the properties submitted for approval.
l Approvers
This section displays a list of the user accounts or groups to which the approval task
was assigned.
l Approval progress
This section provides information on the date and time that the task was created, and
whether the task was escalated to a higher approver level or reassigned (delegated)
to other persons. If the task was escalated, you can view when escalation occurred
and what caused escalation. If the task was reassigned (delegated), you can view
who and when delegated the task and to whom the task was delegated.
The Task completed sub-section indicates the date and time that the task was
completed, identifies the approver who completed the task and the approver action
that was applied to complete the task, and lists the values of the object properties
that were supplied or changed by the approver.
l Details
In this section you can view aggregated information about the approval task
properties and configuration, and some details of the operation that was allowed or
denied by the completed task. The Operation ID filed provides a link to a page
where you can examine the operation in more detail.

Using “My Operations”

In the My Operations area, the Recent view lists your operation requests that are waiting
for approval from other individuals, as well as those allowed (approved) or denied
(rejected) by the approver. You can use this view to monitor the status of your requests.

Active Roles 7.5.3 Web Interface Administration Guide

50
Using Approval Workflow
You also have the option to cancel any of your requests that are not yet approved or
rejected.
Each operation listed in the Recent view is identified by a header area that provides basic
information about the operation such as a unique ID number of the operation, when and by
whom the operation was requested, and the target object of the operation. A section in the
middle of the operation header contains a summary of the operation, operation status and
an operation reason that was supplied when the operation was submitted for approval.
The operation summary identifies the operation type (such as Create user or Change
user) and may provide information about the changes to the object properties that result
from the operation. From the operation status you can tell whether the operation is waiting
for approval (pending), allowed (completed), denied (rejected) or canceled. If a given
operation is waiting for approval, you can remove the operation request by clicking the
Cancel operation button.
The operation header contains the View operation details button allowing you to get
detailed information about the operation and review the object properties that were
submitted for approval or changed by the approver who allowed the operation. Clicking the
Examine task button displays a page that contains a replica of the operation header and
the following information sections under the operation header:
l Properties changed during this operation
This section lists the object property values that were changed as a result of
the operation, new values assigned to the properties, and identifies who made
the changes.
l Workflow activities and policy actions
This section provides detailed information about all policies and workflows that Active
Roles performed when processing the operation request, including information about
the approval tasks created as a result of approval workflow activities. For each
approval task, you can view the status of the task along with aggregated information
about the properties and configuration of the task.
From the task status you can tell whether the task is waiting for completion
(pending), completed to allow the operation or rejected to deny the operation. From
the additional information about a task, you can identify, for instance, the approvers
to whom the task is assigned, the due date of the task, the approver who allowed or
denied the operation and what changes, if any, the approver made to the original
operation request.
l Operation details
This section contains additional information about the operation, including when and
by whom the operation was requested, the target object of the operation, the current
status of the operation, and the date and time that the record of the operation was
last updated.

Active Roles 7.5.3 Web Interface Administration Guide

51
Using Approval Workflow
 Customizing the Web Interface

l Introduction
l Terminology
l Configuring menus
l Configuring commands
l Configuring forms
l Examples
l Global settings
l Customizing the Navigation bar
l Customizing the Home page
l Configuring Web interface for enhanced security

Introduction
The Web Interface gives Active Roles administrators the ability to customize menus,
commands, and forms that are used for managing directory objects. Active Roles
administrators can add and remove commands or entire menus, assign tasks and
forms to commands, modify forms used to perform tasks, and create new commands,
tasks, and forms.

NOTE: The Active Roles administrators are members of the Active Roles Admin
account, specified during configuration of the Active Roles Administration Service. By
default, the Active Roles Admin account is the Administrators local group on the
computer running the Administration Service.

Before you start customizing the Web Interface, you should consider the following:
l The customization settings are saved as part of the Active Roles configuration. When
you customize a Web Interface site, your changes are in effect on all the other Web
Interface sites that share the configuration you are changing.
l After you have performed any customization of a Web Interface site, you must
publish the new configuration to the Web server. To do this, open the Web Interface
site in your Web browser, expand Customization on the Navigation bar, and then
click Reload. This operation must be performed on each of the Web Interface sites
that share configuration with the site you have customized.
l The Reload command causes the Web Interface to retrieve the new configuration
data from the Administration Service and update the local copy of the configuration
data on the Web server that hosts the Web Interface site. When configuration data
changes because of any customization-related actions the changes have no effect on

Active Roles 7.5.3 Web Interface Administration Guide

52
Customizing the Web Interface
 the Web Interface site until they are transferred to the local copy on the Web server.
Use the Reload command to get the local copy properly updated.
l You can discard the customization of the Web Interface site, and restore the default
menus, commands, and forms that were initially installed with the Web Interface. To
do this, expand Customization on the Navigation bar and click Restore Default.

Terminology
This section briefly describes the items involved in customization of the Web Interface—
menus, commands, forms, tabs, and entries. The following figure shows the items you
can customize.

Figure 2: Terminology

Menu
A menu represents a set of commands (directives) associated with objects of a certain
type, and used to manage those objects. Examples: the User menu, the Group menu, the
Contact menu.

Active Roles 7.5.3 Web Interface Administration Guide

53
Customizing the Web Interface
For each object type, such as User or Group, the Command pane displays a menu of
commands. You can customize a menu by adding or removing commands.

Command
A command is an instruction that, when issued by a user, causes an action to be carried
out. Web Interface users select commands from a menu in the Command pane. Some
examples of commands are New User on the Organizational Unit menu, General
Properties on the User menu and Members on the Group menu.
Each command is intended to perform a certain task, such as displaying property pages.
You can customize pages associated with a command.

Form
A form is a structured page with predefined areas for entering and changing information. A
form consists of elements such as text boxes, check boxes, option buttons, and command
buttons. Form elements allow users to perform actions, make choices, and identify and
enter information. A form is a set of pages (tabs) associated with a command that requires
data entry. You can customize a form by adding or removing tabs and entries.

Tabs
Since an object normally has a large number of properties, it may be necessary to
categorize and group properties within a form. A tab represents a group of properties
located on a separate page, such as General, Address or Account on the Properties
form for User objects. By clicking tabs, you can access pages to view or modify properties.
You can add or remove tabs from a form, and change the order of tabs.

Entry
An entry is a group of elements on a form that are intended to view or modify a
property of an object. For example, the First name entry is used to manage the value
of the givenName property. You can add or remove entries from a form, and change
the order of entries.

Link to Form Editor

The Customize link is used to open the form in the Form Editor:

Active Roles 7.5.3 Web Interface Administration Guide

54
Customizing the Web Interface
Figure 3: Form Editor

The Form Editor displays all tabs that make up a form, along with the entries disposed on
each tab, and provides a central place to add, remove, or modify tabs and entries, as well
as to change the order of tabs and entries on the form. The main elements of the Form
Editor are as follows.

Focus item
Focus item identifies the object you are customizing. A list of menus, a menu, a command,
a form, a tab and an entry are the examples of focus items. To identify a focus item, the
Web Interface displays the name of the item and an icon indicating the type of the item.

Toolbar
You can use the toolbar to make changes to the form. The toolbar includes the
following buttons:
l Move Up Moves the selected items up one level in the list.
l Move Down Moves the selected items one level lower in the list.
l Delete Removes the selected items.
l New Tab Adds a tab to the form.
l Add Entry Adds an entry to the tab.

Active Roles 7.5.3 Web Interface Administration Guide

55
Customizing the Web Interface
List of entries
You can change the order of entries on a tab by selecting check boxes in the list of entries,
and then clicking Move Up or Move Down on the toolbar. You can also view or modify
properties of an entry by clicking the Edit icon next to the name of the entry.

Tab
Click a tab to view or modify entries on that tab. You can change the order of tabs by
selecting check boxes next to tab names, and then clicking Move Up or Move Down on
the toolbar. You can also view or modify properties of a tab by clicking the Edit icon next to
the name of the tab.

Configuring menus
For each object type, such as User, Group or Computer, the Command pane displays a
menu that represents a list of commands associated with that object type. You can
customize a menu by adding or removing commands. Use the following instructions to
manage menus in the Web Interface.

To navigate to the List Existing Menus page

l On the Web Interface home page, click Customization, and then click
Customization Tasks.
- OR -
On the Navigation bar, expand Customization, and then click Directory Objects.

The List Existing Menus page displays a list of menus. You can click the name of a menu
in the list to view a list of commands included in the menu.

Creating a menu
To create a menu

1. Navigate to the List Existing Menus page: Expand Customization on the

Navigation bar and then click Directory Objects.
2. In the right pane, click Create New Menu.
3. In the Object type list, click an object type. Then, click Finish.
The Web Interface creates a menu for the object type you selected. The menu has
the same name as the object type.

Active Roles 7.5.3 Web Interface Administration Guide

56
Customizing the Web Interface
 4. Click Reload to publish your changes.

Deleting a menu
To delete a menu

1. On the List Existing Menus page, click the name of the menu you want to delete.
2. In the right pane, click Delete Menu.
3. Click Reload to publish your changes.

Adding a command to a menu

To create a new command on a menu

1. On the List Existing Menus page, click the name of the menu to which want to add
the command.
2. In the right pane, click Create New Command.
3. In the Command type list, click one of the following:
l Form Task Create a command to open a form.
l Page View Task Create a command to open a custom page.
l Search Task Create a command to perform a search.
l Set Attribute Task Create a command to assign a certain value to a certain
attribute of directory objects.
4. Click Next.
5. Specify general properties of the command, such as the command name and
description.
6. Specify command properties specific to the type of the command:
l If you have selected Page View Task, specify the address (URL) of the
resource, such as a Web page, that you want the command to open.
l If you have selected Search Task, specify the parameters of the search you
want the command to perform. You can also set up the configuration of the list
of search results.
l If you have selected Set Attribute Task, choose the attribute you want the
command to set and specify the value you want the command to assign to
that attribute.
7. Click Finish.
8. Click Reload to publish your changes.

Active Roles 7.5.3 Web Interface Administration Guide

57
Customizing the Web Interface
To add an existing command to a menu

1. On the List Existing Menus page, click the name of the menu to which want to add
the command.
2. In the right pane, click Add Existing Command.
3. In the list of existing commands, click the command you want to add to the menu.
The list includes commands that exist in the configuration of the Web Interface site.
Note that the list also includes the commands that were deleted from menus, so you
can use the Add Existing Command function to restore a command on a menu.

4. Click Save.
5. Click Reload to publish your changes.

Removing commands from a menu

To remove commands from a menu

1. On the List Existing Menus page, click the name of the menu from which want to
remove commands.
2. In the list of commands, select check boxes to mark the commands you want
to remove.
3. On the toolbar at the top of the list, click Delete.
4. Click Reload to publish your changes.

Setting the default command on a menu

To set the default command on a menu
On the List Existing Menus page, click the name of the menu you want to modify.

1. In the right pane, click Default Command.

2. Click Choose.
3. Click the command you want to be used by default, and then click OK.
4. Click Save.
5. Click Reload to publish your changes.

NOTE: The Web Interface runs the default command for an object when the user
clicks the name of that object in a list. For example, since View Contents is set as
the default command for container objects, the Web Interface lists the objects held in
the container when you click the name of a container in a list of objects.

Active Roles 7.5.3 Web Interface Administration Guide

58
Customizing the Web Interface
Adding a separator to a menu
To add a separator to a menu

1. On the List Existing Menus page, click the name of the menu you want to modify.
2. In the right pane, click Add Separator.
This adds the <Separator> item to the list of menu commands.

3. Adjust the position of the separator on the menu: Select the check box next to the
separator in the list of commands and then click Move Up or Move Down on the
toolbar at the top of the list.
4. Click Reload to publish your changes.

NOTE:
l Separators are used to group related commands on a menu, to make the menu
easier to read.
l If necessary, you can remove separators: In the list of commands, select check
boxes to mark the separators you want to remove, and then click Delete on the
toolbar at the top of the list.

Changing the order of commands on a menu

To change the order of commands on a menu

1. On the List Existing Menus page, click the name of the menu you want to modify.
2. In the list of commands, select check boxes to mark the commands you want
to move.
3. Click Move Up or Move Down on the toolbar at the top of the list.
4. Click Reload to publish your changes.

Configuring commands
Each command on a menu is intended to perform a certain task, such as displaying
property pages for a directory object, searching for objects that meet certain conditions or
assigning a certain value to a certain attribute of a directory object. You can select a
command, and customize its action or associated pages.

Active Roles 7.5.3 Web Interface Administration Guide

59
Customizing the Web Interface
To select a command

1. Do one of the following:

l On the Web Interface home page, click Customization, and then click
Customization Tasks.
l On the Navigation bar, expand Customization, and then click Directory
Objects.
2. In the list of menus on the List Existing Menus page, click the name of the menu
that includes the command you want to select.
3. In the list of commands, click the name of the command.

Managing command properties

Active Roles administrators can modify command properties. The properties of a
command depend upon the command type: Form Task, Page View Task, Search Task, or
Set Attribute Task.
All commands have common properties, such as the name and description of the
command. In addition, each command has a number of properties determined by the
command type. Thus, the type-specific properties of a Page View Task command identify
the page to display; a Search Task command’s properties determine search criteria and
configuration of the list of search results; the attribute to set and the value to assign are
part of properties of a Set Attribute Task command. See Properties of a command for
further information.

To view or modify the properties of a command

1. In the list of menus on the List Existing Menus page, click the name of the menu
that includes the desired command.
2. In the list of commands found on the menu, click the name of the desired command.
3. Modify the properties of the command, if needed, and click Save.
4. Click Reload to publish your changes.

Creating or selecting a form for a command

A command of the Form Task type is associated with a form, and is used to open that form.

To create a new form and associate it with a command

1. Select a command of the Form Task type.

2. In the right pane, click Link with New Form.

Active Roles 7.5.3 Web Interface Administration Guide

60
Customizing the Web Interface
 3. Select the type of the form to create:
l Edit Properties A form intended to view or modify object properties
l New Object A form intended to create new objects
l Rename A form intended to rename objects
4. Click Next.
5. Specify general properties of the form, such as the name and description.
6. If you have selected New Object as the type of the form, select the type of objects
you want to create by using the form.
7. Click Finish.
8. Click Reload to publish your changes.

You can also associate a command with a form that already exists in the configuration of
the Web Interface site.

To associate a command with an existing form

1. Select a command of the Form Task type.

2. In the right pane, click Link with Existing Form.
3. In the list of existing forms, click the form you want to link with the command.
4. Click Save. Then, click Reload to publish your changes.

The list of existing forms includes only the forms that are applicable to the object type the
command is intended for. For example, when you select a command from the menu for the
User object type, the list only includes the forms that are applicable to User objects.

NOTE:
l Instead of linking a different form to a command, you can modify the form that
is already associated with the command.
l If necessary, you can configure a command so as to have no form associated
with it: in the list on the Link with Existing Form page, click <no assigned
form>, and then click Save.

Properties of a command
Every command has a number of properties that determine behavior of the command. The
command properties vary depending upon the command type:
l Form Task This command type is intended to display forms. When you click a
command of this type, the Web Interface opens the form that is associated with that
command. Then, depending on the type of the form, you can view or change the data
shown on the form for an existing object or enter data on the form for creating a new
object. The identifier of the form is part of the command properties (see Form Task
properties).

Active Roles 7.5.3 Web Interface Administration Guide

61
Customizing the Web Interface
 l Search Task This command type is intended to search for objects in the directory
and display search results. When you click a command of this type, the Web Interface
performs a search based on the conditions specified in the command’s properties
(see Search Task properties), and displays a list of search results. Then, you can click
an object in the list to open the pages for managing that object.
l Page View Task Commands of this type are intended to display custom pages.
When you click a Page View Task command, the Web Interface opens the page
identified by the address (URL) that is part of the command properties (see Page
View Task properties). For instructions on how to create custom pages, see Active
Roles SDK documentation.
l Set Attribute Task A command of this type is intended to assign a certain value to
a certain attribute of a directory object. The properties of the command specify the
attribute and the value to assign to that attribute (see Set Attribute Task properties).
The command can be configured to display a confirmation message prior to changing
the attribute.

All commands have common properties, such as the name and description. In addition,
each command has a number of properties determined by the command type.

Common properties
A command of any type has the following properties:
l Name The text that labels the command on the menu. This text is what Web
Interface users view in the Command pane.
l Description Any text to help identify the command in a list of commands. An
administrator can view this text in addition to the command name when selecting a
command to add, remove, or modify.
l ToolTip The text that is displayed when the mouse pointer is positioned over the
command in the Command pane.
l Command Type The type of the command is specified when the command is
created, and cannot be changed.

Form Task properties

A command of the Form Task type has the Form name property in addition to the common
properties. This property identifies the form that the command is intended to open. When a
Form Task command is initially created, it is not associated with any form, so the Form
name property is not set. When you associate the command with a certain form, the Form
name property is set to the name of the form.

Active Roles 7.5.3 Web Interface Administration Guide

62
Customizing the Web Interface
Search Task properties
A command of the Search Task type has a number of properties in addition to the common
properties. You can specify search conditions (LDAP search filter), define where to search
for directory objects (scope of the search), and choose the object properties to be displayed
in the list of search results.

Base DN
The Base DN property specifies the distinguished name of the container where to begin
the search. The search is performed only on this container and objects that exist below it in
the directory tree. This property can be set to one of the following:
l Currently selected object When the user clicks the command on the menu for a
given object, the Web Interface uses the distinguished name of that object as the
Based DN property. For example, suppose the command is on the menu for the
organizational unit object type. When the user selects an organizational unit and
clicks the command, the Web Interface searches the selected organizational unit.
l This DN The command causes the Web Interface to search the object that has the
specified distinguished name, regardless of what object is actually selected. For
example, suppose the command is on the menu for the user object type, and the
Base DN property is explicitly set to the distinguished name of a certain
organizational unit. In this case, when a user account is selected in the Web
Interface, the command appears on the menu and clicking the command begins the
search in that organizational unit.

Search filters
The Search filters property specifies a search filter string in LDAP format. This part of the
LDAP search syntax makes it possible to search for specific objects based on object
attributes. Set up a filter string in accordance with LDAP syntax rules. The default filter
string is “(objectClass=*)”, which retrieves all objects. Another example is
“(objectClass=user)”, which causes the search to retrieve only user accounts.
When configuring a filter string, follow these guidelines:
l The string must be enclosed in parentheses.
l Expressions can use the relational operators: <, <=, =, >=, and >. An example is
“(objectClass=user)” or “(givenName=Adam)”.
l Compound expressions are formed with the prefix operators & and |. An example is
(&(objectClass=user)(givenName=Adam)).

For more information about the filter string format, see the “Search Filter Syntax” topic in
the MSDN Library (http://go.microsoft.com/fwlink/?LinkID=111710).

Active Roles 7.5.3 Web Interface Administration Guide

63
Customizing the Web Interface
Displayed attributes
The Displayed attributes property specifies a list of the attributes to retrieve during the
search. These are the attributes that will be displayed in the list of search results. Each
attribute is identified by its LDAP display name. Type the names of the attributes you want
to retrieve, or select attributes from a list. Separate attribute names by commas.
The default setting for this property is “name,objectClass,description”, which displays a
three-column list of search results. For every object returned by the search, the Web
Interface lists the name, type, and description of the object.

Search scope
l The Search scope property specifies the depth of the search. The options for this
property are:
l Base This option limits the search to the object specified by the Base DN property
(base object). The search returns either one object or no objects, depending upon
the search filter.
l One-level This option restricts the search to the immediate children of the base
object, but excludes the base object itself. The search returns the immediate child
objects that match the search filter.
l Subtree With this option, the search filter is applied to the base object as well as to
all objects that exists below it in the directory tree. The search returns all child
objects that match the search filter. If the base object matches the filter, the base
object is also included in the search results.
l Attribute scope query by this attribute With this option, the command searches
in a certain attribute of the base object (target attribute). The target attribute is
identified by the LDAP display name specified as part of this option, and must be an
attribute that stores distinguished names, such as the “member” or “managedBy”
attribute. The search is performed against the objects that are identified by the
distinguished names found in the target attribute. For example, if the base object is a
group and the “member” attribute is specified as the target, then the search will be
performed against all objects that are members of the group, and will return the
members of the group that match the search filter.

Sort by
The Sort by property specifies the attribute based on which the list of search results should
be sorted, to group similar attribute values together in an easy-to-read list. Type the LDAP
display name of any attribute that is listed in the Displayed attributes property.

Page View Task properties

A command of the Page View Task type has the URL property in addition to the common
properties. This property identifies the address of the resource, such as a Web page, that

Active Roles 7.5.3 Web Interface Administration Guide

64
Customizing the Web Interface
the command is intended to open. When the user clicks the command, the Web Interface
navigates to the address specified by the URL property.
For more information and instructions on how to implement and use commands of this
type, see “Developing Custom Web Pages” in the Active Roles SDK.

Set Attribute Task properties

A command of the Set Attribute Task type has the following properties in addition to the
common properties:
l Attribute to set The LDAP Display Name of a certain attribute. The command
assigns a value to that attribute. You can select the desired attribute from a list.
l Value to assign The command assigns this value to the attribute, or clears the
attribute if no value specified. For a Boolean attribute, the value can be either
True or False.
l Enable confirmation message When this option is selected, clicking the command
displays a certain message to obtain the user's consent.
l Confirmation message Specifies the message to display when the user clicks the
command. The user has the option to confirm or cancel the command.

Command visibility options

A command on an object in the Web Interface, such as Delete or Rename, can be
either visible or hidden. If a command is visible, the user can click the command and
have the Web Interface process the command accordingly. If a command is hidden, it is
effectively disabled.
Normally, the Web Interface displays or hides a command depending on whether or not the
user has sufficient rights to perform the respective operation on the object that the user
has selected (for example, delete or rename the object). However, certain scenarios may
require that a particular command be hidden or displayed depending on the properties of
the selected object. Another requirement could be to hide or display a command depending
on whether or not the user is authorized to make certain changes to the selected object.
To address these requirements, the Web Interface provides a number of options that
control the visibility of a command to the user. The visibility options on a command take the
form of conditions that are evaluated when a particular user selects a particular object in
the Web Interface. Assuming the command is applicable to the type of the selected object,
the command is displayed if each of the conditions evaluates to True.
By setting up the appropriate conditions on a command, the administrator can control the
visibility of the command in the following ways:
l Show the command if the properties of the selected object meet certain requirements
(for example, the description of the object is set to the text string specified);
otherwise, hide the command. The conditions that control the command visibility in

Active Roles 7.5.3 Web Interface Administration Guide

65
Customizing the Web Interface
 this way are referred to as property-related conditions.
l Show the command if the user is authorized to modify certain properties of the
selected object (for example, the user is authorized to change the description of the
object); otherwise, hide the command. The conditions that control the command
visibility in this way are referred to as access-related conditions.

It is possible to set up only property-related conditions, only access-related conditions, or

both. The command is displayed if all the specified conditions evaluate to True. If at least
one of the specified conditions is not met, the command is hidden.

To configure visibility options on a command

1. In the Customization section of the Web Interface, select the command that you
want to configure.
2. Click the Visibility tab on the page for managing the properties of the command.
3. Select the option to set up visibility conditions.
4. To set up property-related conditions, click Configure.
5. Do the following:
l To add a condition, select a property, type in a value, and click Add
Requirement.
l To remove a condition, select it from the list and click Remove.
l When finished, click OK.
When you select a property and supply a value, either a new condition is added to the
list or the supplied value is added to the existing condition that is based on the
selected property. The latter occurs if the property is already in the list of the
property-related conditions. This allows you to configure a condition that evaluates to
True if the property has any one of the values specified. If only one value is supplied
for a particular condition, then the condition evaluates to True if the property has
exactly the value specified.

6. To set up access-related conditions, do the following:

l If you want to add a condition, click Add, select a certain property, and
click OK.
l If you want to remove a condition, select it from the list and click Remove.
When you select a property and click OK, a new condition is added that evaluates to
True if the user has sufficient rights in Active Roles to make changes to that property
of the object selected by the user in the Web Interface.

7. Click Save. Then, click Reload to publish your changes.

Configuring forms
A form is a set of pages associated with a command that requires data entry. You can
customize a form by adding or removing entries.

Active Roles 7.5.3 Web Interface Administration Guide

66
Customizing the Web Interface
Each entry is intended to view or modify certain portions of directory data referred
to as object attributes or properties. You can rearrange entries or adjust their
behavior as needed.
To start customizing a form, you must first open that form in the Form Editor.

To open a form in the Form Editor

1. On the Web Interface home page, click Customization, and then click
Customization Tasks.
- OR -
On the Navigation bar, expand Customization, and then click Directory Objects.
2. In the list of menus, click the menu that contains the command linked with the form
you want to configure.
3. In the list of commands, click the command that is linked with the form you want
to configure.
4. In the right pane, click Edit Form.
If no form is linked with the command you selected, the right pane does not contain
the Edit Form command.

NOTE: Another way to open a form in the Form Editor is to navigate to the Web
Interface page that you want to configure and then click the Customize link.

Managing properties of a form

To view or modify properties of a form

1. Open the form in the Form Editor.

2. In the right pane, click Properties.
3. Modify properties of the form, if needed, and click Save.
4. Click Reload to publish your changes.

You can view or modify the following properties of a form:

l Name The text that identifies the form. When a form is linked with a command, the
Form name property of the command is set to the name of the form.
l Description Any text that helps identify the form in a list of forms (an administrator
can view this text in addition to the form name when selecting a form to link with a
command). Note that the name of a form is not required to be unique, so different
forms may have the same name. In such a case, the description text can help
distinguish forms.
l Object type If the form is intended for creating objects, this property identifies the
type of object that can be created by using the Web Interface page based on this
form. The object type is set when the form is created, and cannot be modified.

Active Roles 7.5.3 Web Interface Administration Guide

67
Customizing the Web Interface
 l Form type This property is set on a form when the form is created, and cannot be
modified. The form type can be one of the following:
l Edit Properties The Web Interface page that is based on this form displays
properties of existing objects and provides the ability to make changes to
object properties. Each tab on the form represents the respective tab on the
Web Interface page.
l New Object The Web Interface page that is based on this form serves for
creating objects in the directory. The page provides for one or more steps to
collect user input, with each step being represented by a single tab on the
form. Thus, with two tabs on the form, the Web Interface page displays the
entries found on the first tab, allowing the user to enter data as required. When
the user clicks Next, the page displays the entries from the second tab.
l Rename This type is basically the same as Edit Properties. However, if a form
includes entries for managing so-called “naming” attributes, such as the
“name” attribute, the form type should be set to Rename rather than Edit
Properties.
l Show policy descriptions This option specifies if the Web Interface page that is
based on this form provides visual indication of Active Roles policies. For example,
the “User logon name” attribute is normally controlled by a certain policy. When this
option is selected, the Web Interface displays an icon next to the name of the “User
logon name” field. Clicking the icon allows the user to view the policy rules that are in
effect. If the option is not selected, all such icons are removed from the page, so the
user cannot view policy rules.

Adding a tab to a form

To add a tab to a form

1. Open the form in the Form Editor.

2. On the toolbar in the Form Editor, click New Tab.
3. Specify a name for the new tab.
The name of a tab is the text that labels the tab or step on the respective Web
Interface page.
4. Click Finish; then, click Reload to publish your changes.

Deleting tabs from a form

To delete tabs from a form

1. Open the form in the Form Editor and select check boxes next to the tabs you
want to delete.

Active Roles 7.5.3 Web Interface Administration Guide

68
Customizing the Web Interface
 2. On the toolbar in the Form Editor, click Delete.
3. Once the tabs are deleted, click Reload to publish your changes.

Managing properties of a tab

To view or modify properties of a tab on a form
Open the form in the Form Editor and click the Edit icon next to the name of the tab.
If needed, modify properties of the tab, click Save, and then click Reload.

NOTE: In this way, you can change the name of the tab.

Tab visibility options

A tab on a Web Interface page can be either visible or hidden. If a tab is visible, the Web
Interface user can click the tab to access the user interface elements (entries) located on
that tab. If a tab is hidden, it is inaccessible to the Web Interface user.
Normally, if a Web Interface user has sufficient rights to view the page that holds a given
tab, the tab is visible to that user. However, certain scenarios may require a particular tab
to be hidden or displayed on a page depending on the properties of the object selected by
the user to access that page. For example, you may need to hide the Membership
Approval tab on the group’s General Properties page when the user selects a group
whose properties meet certain conditions. Another requirement could be to hide or display
a tab depending on whether the user is authorized to make certain changes to the selected
object. For example, it may be required that the Membership Approval tab be hidden if
the user does not have sufficient rights to change the members list of the group.
To address these requirements, the Web Interface provides a number of options that
control the visibility of a tab to the user. The visibility options on a tab take the form of
conditions that are evaluated when a particular user selects a particular object in the Web
Interface to access a page containing that tab. The tab is displayed if each of the conditions
evaluates to True.
By setting up the appropriate conditions on a tab, the administrator can control the
visibility of the tab in the following ways:
l Show the tab if the properties of the selected object meet certain requirements (for
example, the description of the object is set to the text string specified); otherwise,
hide the tab. The conditions that control the tab visibility in this way are referred to as
property-related conditions.
l Show the tab if the user is authorized to modify certain properties of the selected
object (for example, the user is authorized to change the description of the object);
otherwise, hide the tab. The conditions that control the tab visibility in this way are
referred to as access-related conditions.

Active Roles 7.5.3 Web Interface Administration Guide

69
Customizing the Web Interface
It is possible to set up only property-related conditions, only access-related conditions, or
both. The tab is displayed if all the specified conditions evaluate to True. If at least one of
the specified conditions is not met, the tab is hidden.

To configure visibility options on a tab

1. In the Form Editor, click the Edit icon next to the name of the tab you want
to configure.
2. Click Visibility on the page for managing the properties of the tab.
3. Select the option to set up visibility conditions.
4. To set up property-related conditions, click Configure.
5. Do the following:
l To add a condition, select a property, type in a value, and click Add
Requirement.
l To remove a condition, select it from the list and click Remove.
l When finished, click OK.
When you select a property and supply a value, either a new condition is added to the
list or the supplied value is added to the existing condition that is based on the
selected property. The latter occurs if the property is already in the list of the
property-related conditions. This allows you to configure a condition that evaluates to
True if the property has any one of the values specified. If only one value is supplied
for a particular condition, then the condition evaluates to True if the property has
exactly the value specified.
6. To set up access-related conditions, do the following:
l If you want to add a condition, click Add, select a certain property, and
click OK.
l If you want to remove a condition, select it from the list and click Remove.
When you select a property and click OK, a new condition is added that evaluates to
True if the user has sufficient rights in Active Roles to make changes to that property
of the object selected by the user in the Web Interface.

7. Click Save.
8. Click Reload to publish your changes.

Adding an entry to a form

To create a new entry and add it to a form
Open the form in the Form Editor and click the tab to which you want to add the entry.
On the toolbar in the Form Editor, point to Add Entry and click Create.
In the Property list, click the attribute for which to add the entry, and then click Next.
Specify a name for the new entry, and then click Finish.
Click Reload to publish your changes.

Active Roles 7.5.3 Web Interface Administration Guide

70
Customizing the Web Interface
 NOTE: The name of an entry is the text that labels the control or group of controls on
the respective Web Interface page. For example, if an entry appears as a check box
on the page, the name of the entry is displayed next to the check box. If an entry
appears as an edit box, the name of the entry is directly above the edit box.
A form can hold only one entry per attribute.

To add existing entries to a form

1. Open the form in the Form Editor and click the tab to which you want to add
the entry.
2. On the toolbar in the Form Editor, point to Add Entry and click Select.
3. In the list of entries, select check boxes next to the names of the entries to add.
4. Click Finish. Then, click Reload to publish your changes.
You may need to scroll down the list of entries in order to access the Finish button.

The list for selecting an entry contains the following information about each entry:
l Entry name The name of the entry.
l Managed property The attribute or attributes that are managed by using this
entry. The attributes are identified by LDAP display name.
l Forms that use this entry The entry is added to each of the listed forms. The
forms are identified by name. Clicking the name of a form opens the form in the
Form Editor.
l Entry type This can be one of the following:
l Auto An entry that was created by using the Form Editor.
l Custom A predefined entry that came with the Web Interface, or an entry that
was created by using tools other than the Form Editor (for example, by
implementing and deploying custom code).
l Naming An entry for managing a naming attribute, such as the “name”
attribute. Setting a naming attribute requires some additional steps, which are
not necessary with other attributes. The entries of this type are normally
predefined and installed with the Web Interface.

When selecting an existing entry, consider the type of the entry. Entries of different type
can have the same name and the same managed property. Since the behavior of an entry
depends upon the type of the entry, selecting an entry of inappropriate type can cause
incorrect results. Thus, selecting an Auto entry instead of a Custom entry will normally
result in the loss of the features that the Custom entry provides in addition to, or instead
of, the default features of the Auto entry. For more information, see Type of entry later in
this document.

Adding static text to a form

The Form Editor provides a special type of entry—text area—allowing you to add static text
to a form. You can use text areas to have the form display descriptive text, such as titles,

Active Roles 7.5.3 Web Interface Administration Guide

71
Customizing the Web Interface
captions, or brief instructions. In the Web Interface, a text area entry only displays the text
specified in the configuration of the entry. To change the text, you need to edit the entry
from the Form Editor.

To add static text to a form

1. Open the form in the Form Editor and click the tab to which you want to add
static text.
2. On the toolbar in the Form Editor, point to Add Entry and click Text area.
3. In the Text to display box, supply the text you want to be displayed on the tab.
4. Click Finish. Then, click Reload to publish your changes.

These steps add an entry named Text area in the Form Editor. You can select the check
box next to the Text area name and use the Move Up and Move Down buttons on the
toolbar to change the position of the text area. To change the text displayed by the text
area, click the Edit icon next to the Text area name. When you are done, click Save and
then click Reload to publish your changes.

Deleting entries from a form

To delete entries from a form

1. Open the form in the Form Editor and click the tab from which you want to
delete entries.
2. In the list of entries, select check boxes to mark the entries you want to delete.
3. On the toolbar in the Form Editor, click Delete.
4. Once the entries are deleted from the form, click Reload to publish your changes.

Managing properties of an entry

To view or modify properties of an entry
Display the form in the Form Editor and click the tab that includes the entry to manage.
Click the Edit icon next to the name of the entry you want to manage.
If needed, modify properties of the entry, click Save, and then click Reload.

NOTE: The changes made to an entry are applied to the entry on every form contain-
ing the entry.

The properties of an entry that you can view or modify include the following (for
more information, see Type of entry and Entry for an attribute of DN syntax later in
this document):

Active Roles 7.5.3 Web Interface Administration Guide

72
Customizing the Web Interface
 l Entry name Text that labels the entry on the Web Interface page. For a check box,
the name of the entry appears next to the check box. For an edit box, the name is
displayed above the edit box.
l Entry description Any text that helps identify the entry.
l Entry ToolTip The text that is displayed when the mouse pointer is positioned over
the entry on the Web Interface page.
l Entry type The type of the entry. For details, see Type of entry later in this
document. This setting is defined when the entry is created, and cannot be changed.
l Property The list of attributes that are managed by this entry (managed attributes).
Each attribute is identified by its LDAP display name. This setting is defined when the
entry is created, and cannot be changed.
l Treat as single-valued This option applies to entries for multi-valued attributes.
When selected, causes the entry to behave as if the managed attribute can store
only one value.
l Read only When selected, prevents the user from changing the data displayed by
the entry on the Web Interface page.
l Syntax Indicates the syntax of the attribute that is managed by this entry. The
name of the syntax is retrieved from the directory schema and displayed for
information purpose only.
l Multivalued Indicates whether the managed attribute is multi-valued. This
information is retrieved from the directory schema and displayed for information
purpose only.
l Render as multiline Applies to entries for managing string values. Specifies
whether the entry can display multiple strings or only a single string.
l Label next to entry Specifies whether to display the entry name next to or above
the entry on the form. When this check box selected, the name appears to the left of
the entry. When this check box is cleared, the name appears above the entry.
l Text to display Applies to the text area entry type. Specifies the text to be
displayed in the text area.

Type of entry
The Web Interface provides for these types of entry:
l Auto Default entries. This type is assigned to the entries created using the
Form Editor.
l Custom Predefined entries that come with the Web Interface and use custom
processing logic, or entries added by implementing and deploying custom code.
l Naming Entries for managing so-called naming attributes, such as the “name”
attribute. Setting a naming attribute requires some additional steps, as compared
with other attributes. The entries of this type are normally predefined and installed
with the Web Interface.

Active Roles 7.5.3 Web Interface Administration Guide

73
Customizing the Web Interface
 l StaticText Entries for adding static text, also referred to as text areas. You can use
text areas to display descriptive text, such as titles, captions, or brief instructions.

For each entry, certain logic is implemented that governs how to process the values of the
managed attribute. When retrieving an attribute from the directory, the entry uses that
logic to represent the attribute value in the appropriate format. When applying changes to
an attribute value, the entry relies on that logic to transform the changes, if necessary, to
meet the requirements imposed by the directory.
When you create an entry using the Form Editor, default processing logic is applied based
on the syntax of the managed attribute according to the directory schema. Such default
entries are referred to as Auto entries in the Web Interface.
For each of the syntaxes that are defined in Active Directory, certain default logic is defined
in the Web Interface and applied to every Auto entry for managing any attribute of the
respective syntax. Thus, an auto entry for an attribute of Boolean syntax takes the form of
a check box. An auto entry for an attribute of String (Unicode) syntax is merely an edit box.
Default processing logic may not be suitable for all attributes. A typical example is
userAccountControl.
In Active Directory, the userAccountControl attribute values are stored as integers, so the
Auto entry for that attribute takes the form of an edit box that displays the integer value
retrieved from the directory. This representation of attribute values is not helpful because a
value of the userAccountControl attribute is, in fact, a 4-byte (32-bit) data structure that
contains flags for configuring some user account settings, such as the flag that controls
whether a user account is enabled or disabled.
A value of userAccountControl is a type of integer wherein each bit in the numeric value
represents a unique setting. This type of integer is called a bit field. Because each bit in a
bit field represents a different setting, simply examining the integer value as a whole
number is of little use. You must examine the individual bit that corresponds to the setting
you are interested in viewing or changing.
To help identify which bit to check in the userAccountControl value, the Web Interface
provides a predefined entry that uses custom logic to represent each bit as a separate
check box. The entries like this one, which use processing logic differing from default
processing logic, are called Custom entries in the Web Interface (as opposed to the Auto
entries that rely on default processing logic).
In the Web Interface, a lot of predefined custom entries are available out of the box. Each
of the predefined custom entries, like the custom entry for the userAccountControl
attribute, is designed to manage a single attribute or a group of related attributes in accord
with the intended meaning of the attribute or attributes rather than only based on the
syntax of attribute values. If necessary, new custom entries can be added that use any
suitable processing logic. For more information and instructions, see the Active Roles SDK.

Entry for an attribute of DN syntax

The auto entries for attributes of Object (DS-DN) syntax have certain features that are
specific to only this category of entries. In this topic, for the sake of brevity, such entries
are referred to as DN entries.

Active Roles 7.5.3 Web Interface Administration Guide

74
Customizing the Web Interface
Values of an attribute of Object (DS-DN) syntax are strings, each specifying the
distinguished name (DN) of a certain directory object. For attributes with this syntax,
Active Directory handles attribute values as references to the object identified by the DN
and automatically updates the value if the object is moved or renamed. Examples of such
attributes are “member”, “managedBy” and “manager”.
A DN entry retrieves DN values from the attribute, looks up for the objects that are
identified by the DN values, and displays a list of those objects. By default, the list contains
the following information about each object:
l Name The value of the “name” attribute.
l Description The value of the “description” attribute.
l Object type The value of the “objectClass” attribute.

You can configure the list to display values of other attributes: open the Properties page
for the entry (see Managing properties of an entry earlier in this document), and click the
Advanced tab. Then, modify the list of names in the Columns box as required. You can
type LDAP display names of attributes in the Columns box, separating them by commas,
or you can click the button next to the Columns box and select attributes. The list provided
by the entry will include one column per each attribute you specify, with each column
showing the values of the respective attribute.
A DN entry provides the ability to make changes to the managed attribute, that is, to add or
remove DN values from the attribute. For this purpose, a DN entry supplements the list of
objects with the Add and Remove controls. The Remove control deletes list entries,
consequently removing the respective DN values from the managed attribute. The Add
control uses the Select Object dialog box for selecting objects. The entries representing
the selected objects are then added to the list, with the DN of each object being eventually
appended to the values in the managed attribute.
It is possible to customize the Select Object dialog box that is used by the Add control
in a DN entry. For this purpose, a DN entry provides a number of options. These options
can be found on the Advanced tab of the Properties page for a DN entry (for
instructions on how to access the Properties page, see Managing properties of an entry
earlier in this document):
l Populate list view when the dialog box opens When turned off, this option
prevents a delay in opening the Select Object dialog box. Since populating the list
view in the dialog box implies running a query against the directory service (which
may be a lengthy operation), the ability to open the dialog box without initially
populating the list view increases responsiveness of the user interface. The user can
type and check object names in the dialog box instead of selecting objects from the
list. Alternatively, the user can manually start populating the list view by clicking a
link in the Select Object dialog box.
l Display the “Find in” field When turned on, this option enables the users to view
the Find in setting. With this option turned off, the Find in setting is not displayed in
the Select Object dialog box.
l Allow user to change the “Find in” setting This option prevents the default
Find in setting from being modified by the user. With this option turned off, the Find
in setting cannot be changed in the Select Object dialog box.

Active Roles 7.5.3 Web Interface Administration Guide

75
Customizing the Web Interface
 l Display the “Object name” field When turned on, this option enables the user to
type the names of objects to select instead of clicking objects in the list view in the
Select Object dialog box. With this option turned off, the user is forced to make a
selection from the list.
l “Find in” default setting You can specify a certain container as the default
location of the objects for selecting. Click the button next to this option in order to
select a container, or type in the distinguished name of a container. The Select
Object dialog box will open with that container substituted in the Find in field.
l LDAP search filter When populating the list view, the Select Object dialog box
applies this setting to the Find in container in order to retrieve the objects that
match the filter specified. The list view then displays the objects returned by the
query based on this search filter. You should set up a filter string in accordance with
LDAP syntax rules.
l Scope of query When populating the list view, the Select Object dialog box uses
this setting to qualify the query. Select one of the following:
l Base search The search filter is applied to the Find in object only. When
attribute scope query (ASQ) is used, the search filter is applied to the objects
listed in a certain attribute of the Find in object.
l One-level search The search filter is applied to the immediate children of the
Find in object. The list view is populated with the immediate child objects that
match the search filter.
l Subtree search The search filter is applied to the Find in object as well as to
all objects that exist below it in the directory tree. The list view is populated
with all the objects that match the search filter.
l Use attribute scope query (ASQ) When turned on, this option causes the Select
Object dialog box to populate the list view with objects that are listed in a certain
attribute of the Find in object (target attribute). The LDAP display name of the target
attribute must be supplied in the Attribute to search by using ASQ field.
The target attribute must be an attribute that stores distinguished names, such as
“member” or “managedBy”. The search is performed against the objects that are
identified by the distinguished names found in the target attribute. For example, if
the Find in object is a group and “member” is specified as the target attribute,
then the search will be performed against all objects that are members of the group
and the list view will be populated with the members of the group that match the
search filter.

Examples
This section discusses the following customization scenarios:
l Deleting the New Shared Folder command from the Container menu
l Adding the Telephone number entry to the form for creating user accounts

Active Roles 7.5.3 Web Interface Administration Guide

76
Customizing the Web Interface
Deleting a command from a menu
By default, the Container menu includes the New Shared Folder command. After
you complete the following steps, the menu no longer includes the New Shared
Folder command.

To delete the command from the menu for Container object type

1. Open your Web browser and connect to the Web Interface for Administrators.
2. On the Navigation bar, expand Customization and then click Directory Objects.
3. In the Menu for column, click Container.
4. In the list of commands, select the check box next to the New Shared
Folder command.
5. On the toolbar, click Delete. Then, click OK to confirm the deletion.
6. Click Reload to publish your changes.

Adding an entry to a form

By default, the forms for user account creation do not include a box where you could specify
the user’s telephone number. After you complete the following steps, a new box—
Telephone number—is added to the form for user account creation. When you fill in that
box, the number is saved in the user account.

To add the entry to the form for user account creation

1. Open your Web browser and connect to the Web Interface for Administrators.
2. On the Navigation bar, expand Customization and then click Directory Objects.
3. In the Menu column, click Container.
When you modify the New User command on the Container menu, the command is
also modified on the Domain and Organizational Unit menus.

4. In the list of commands, click New User.

5. In the right pane, click Edit Form.
6. In the Form Editor, click the General tab.
7. On the toolbar in the Form Editor, point to Add Entry and click Create.
8. In the Property list, click Telephone Number.
9. Click Next.
10. Specify Telephone number as the entry name.
11. Click Finish.
12. Click Reload to publish your changes.

Active Roles 7.5.3 Web Interface Administration Guide

77
Customizing the Web Interface
Global settings
Customization of the Web interface includes the global settings that control the display of
the Web Interface pages for all users. There are several areas of the Web Interface site
where global settings are used by default. Some of these settings can be overridden by
Web Interface users, whereas the others can only be viewed or changed by administrators.
The following settings are applied for all Web Interface users and can only be changed by
Active Roles administrators:
l Logo image Use this option to replace the default logo image with a custom logo
image on the Web Interface pages (see Customizing the logo image).
l Web Interface site icon Use this option to change the site icon, also known as
favicon, that identifies the Web Interface site in the Web browser’s address bar (see
Customizing the Web Interface site icon).
l Hide path to object Select this check box to prevent the path to the current
container ts from being displayed on the Web Interface pages.
This option may be helpful in environments where Managed Units rather than
Organizational Units are used to delegate administrative tasks.
l Logged-on user name format View or change the property used for the
presentation of the Web Interface user (see Customizing the name of the Web
Interface user).
l Color scheme Use the options in this area to customize the appearance of the Web
Interface pages by configuring a custom color scheme. You can choose from the
following options:
l Default Applies the color scheme that is included with the Web Interface out
of the box.
l Custom Allows you to select the base color for your custom color scheme and
specify the amount of color you want on the Web Interface pages.

If the administrator changes any of the above settings, the new settings affect any user
who connects to the Web Interface site after the changes are applied.
The following settings are applied for all Web Interface users by default, and can be
overridden on a per-user basis (a Web Interface user can choose different settings without
affecting the other users):
l User interface language Choose the language for the Web Interface pages. Your
selection determines the language of menus and dialogs, messages, and help pages.
l Maximum number of objects to display in search results Specify the
maximum number of objects that can be displayed in single-page lists, such as lists
of search results or lists that show contents of containers. Use this option carefully as
displaying a large number of objects may cause performance degradation.
l Number of items to display per page in paged lists Specify the maximum
number of list items that can be displayed on a single page in multi-page lists. This

Active Roles 7.5.3 Web Interface Administration Guide

78
Customizing the Web Interface
 setting affects only the lists, such as lists of approval tasks, that are divided into
pages, causing each page to display no more items than specified.
l Number of page links to display for paged lists Specify the maximum number
of links to pages that can be displayed for multi-page lists. This setting affects only
the lists, such as lists of approval tasks, that are divided into pages, allowing the user
to page through list items by clicking page numbers beneath the list. This setting
specifies how many page numbers are to be shown.

If the administrator changes any of the above settings, the new settings normally affect the
users who connect to the Web Interface site for the first time. The changes to the global
settings of this category do not affect the Web Interface users whose user profiles already
contain user-specific, personal settings of the same category. For example, if a user has
already selected the preferred language, changing the user interface language in Global
Settings has no effect on that user.

To view or modify global settings

1. Log on as Active Roles Admin, and connect to the Web Interface site you want
to customize.
2. On the Navigation bar (on the left side of the Web Interface page), click
Customization.
3. On the Customization page, click Global Settings.
4. Use the Global Settings page to view or modify the settings.
5. When finished, click Save.
6. Click Reload for your changes to take effect for all users of the Web Interface site
you are customizing.

Customizing the logo image

The Web Interface allows the administrator to customize the branding for the Web
Interface sites by changing parts of the logo image that appears at the top of the Web
Interface screen. The default parts of the logo image can be replaced by custom images,
such as a company logo or a product logo. Separate images are used to identify the
company and the product. The administrator can specify the desired image by selecting an
appropriate graphic file. The supported file types are JPEG (.jpg or .jpeg file name
extension), GIF, and PNG.
It is also possible to customize the hyperlinks on the parts of the logo image. Separate
hyperlinks are available on the company logo and the product logo. Thus, the hyperlink on
the company logo could be configured to navigate to the corporate Web site whereas the
hyperlink on the product logo could open a custom page with instructions on how to use
the product.

Active Roles 7.5.3 Web Interface Administration Guide

79
Customizing the Web Interface
To view or modify the logo image settings

1. Open the Web Interface site in your Web browser, click Customization on the
Navigation bar, and then click Global Settings.
2. In the Product logo image area, view or change the image that is used to identify
the product:
l To use a different image, click Change and select a graphic file containing the
image you want.
l To revert to the standard image, click Restore Default.
3. In the Hyperlink on the product logo image area, view or change the address
(URL) of the Web page that opens when the user clicks the product logo image:
l To use a different address, type the address in the edit box.
l To remove the hyperlink from the product logo image, clear the edit box.
l To revert to the standard address, click Restore Default.
4. In the Company logo image area, view or change the image that is used to identify
the company:
l To use a different image, click Change and select a graphic file containing the
image you want.
l To revert to the standard image, click Restore Default.
5. In the Hyperlink on the company logo image area, view or change the address
(URL) of the Web page that opens when the user clicks the company logo image:
l To use a different address, type the address in the edit box.
l To remove the hyperlink from the company logo image, clear the edit box.
l To revert to the standard address, click Restore Default.
6. Click Save.
7. Click Reload to publish your changes.

Customizing the Web Interface site icon

The Web Interface has the default site icon, and provides a means to change the site icon.
A site icon, also called shortcut icon or favicon, is a small image that is associated with a
particular Web Interface site. You can change the site icon for each site separately.
When you open a Web Interface site in your Web browser, the site icon appears in the
browser’s address bar. The site icon also appears on the History and Favorites lists, making
it easier to identify the site. In addition, the site icon helps identify and differentiate the site
on the Windows taskbar.
If you want to use a custom icon for your Web Interface site, consider the following. A site
icon must be an image in the ICO file format, square in size, and at least 16x16 pixels. The
recommended size of a site icon is 16x16 or 32x32 pixels as Windows uses site icons in the
Web browser's address bar (16x16) and on the taskbar buttons (32x32). However, in case
of larger icons on the desktop, Windows may stretch a site icon to 64x64 pixels and more.

Active Roles 7.5.3 Web Interface Administration Guide

80
Customizing the Web Interface
To achieve the best experience, consider creating an ICO file that contains your site icon in
several sizes, including the 16x16, 32x32 and 64x64 pixel icons.

To change the site icon

1. Open the Web Interface site in your Web browser, click Customization on the
Navigation bar, and then click Global Settings.
2. In the Web Interface site icon area, click Change and supply the ICO file
containing the desired icon.
3. Click Save, and then click Reload for the changes to take effect.

You can revert to the default icon by clicking Restore Default in the Web Interface site
icon area. To apply your changes, click Save and then click Reload.

Customizing the name of the Web

Interface user
The Web Interface displays the name of the logged-on user in the area above the
Navigation bar, retrieving that name from the “Display Name” property of the user account
in Active Directory. In case of empty display name, the name is retrieved from the “name”
property. This default behavior may not be suitable for all situations.
Suppose the Web Interface user has two accounts: a regular account and another account
with elevated privileges (“admin” account). When logged on to the Web Interface, such a
user needs to know which account is currently used, so as to be sure that inappropriate
actions cannot be performed. If both the regular and admin accounts have the same
display name, a different property should be used to identify the user. The Web Interface
addresses this requirement by allowing a user property other than “Display Name” to be
selected for the presentation of the Web Interface user.

To select a user property for the presentation of the Web Interface user

1. Open the Web Interface site in your Web browser, click Customization on the
Navigation bar, and then click Global Settings.
2. Under Logged-on user name format, click the Change button, and then select
the user property you want.
3. Click Save, and then click Reload for the changes to take effect.

To identify which property is currently used for the presentation of the Web Interface user,
point to the user name under Logged-on user name format and review the tooltip that
appears. Thus, under default conditions, the tooltip reads “The 'Display Name' property is
used as the name of the logged-on user in the Web Interface. Click 'Change' to use a
different property.”

Active Roles 7.5.3 Web Interface Administration Guide

81
Customizing the Web Interface
Customizing the Navigation bar
The left area on Web Interface pages, referred to as the Navigation bar, provides menu
items for navigating between Web Interface sections. By default, it includes a number of
top-level menu items. Expanding a top-level item on the Navigation bar may display
subordinate items. In this section, the collection of the items that are subordinate to a
given item is referred to as the menu group associated with that item.
You can add, modify, re-arrange, and remove menu items on menu groups and on the
Navigation bar. A point-and-click interface helps you manage the menu items and their
subordinate items, providing flexible options to customize the Navigation bar.
The changes you make to the Navigation bar affect every user of the Web Interface site.
For example, when you remove a menu item, the item is not displayed to any user of the
Web Interface site.

To customize the Navigation bar

1. On the Home page of the Web Interface site, click Customization.

2. Click Customization Tasks; then, click Customize Navigation Bar in the
right pane.
3. In the hierarchical view of menu items, click to select the item you want to change,
and then use command buttons to make changes.

The following table provides an overview of changes you can make.

Table 1: Navigation bar customization tasks

To Do This

Add an item to the Navigation Click the Menu Bar entry, and then click Add. Type a
bar. name for the new item and the URL of the page you
want the new item to open. Then, click OK.

Add an item to a menu group.
Click the item that the menu group is associated with,
and then click Add. Type a name for the entry, and the
URL of the page you want the new item to open or the
name of the script function (command) you want the
item to execute. Then, click Add.

Change the position of an item Select the item and click the Up or Down arrow
on the Navigation bar or within button.
a menu group.

Change the name of an item. Select the item and click Properties. Then, type the
name you want, and click OK.

Move an item to the Navigation Select the item and click Move. Then, click the Menu
bar. Bar entry. Adjust the position of the item as needed by

Active Roles 7.5.3 Web Interface Administration Guide

82
Customizing the Web Interface
To Do This

clicking arrow buttons and then click OK. (This also

moves the entire menu group, if any, associated with
the item being moved.)

Move an item to a menu group.
Select the item and click Move. Then, click the item
that the destination menu group is associated with.
Adjust the position of the item as needed by clicking
arrow buttons and then click OK. (This also moves the
entire menu group, if any, associated with the item
being moved.)

Hide an item so that it does not Select the item and click Hide. (To display an item that
appear on the Navigation bar. is hidden, select the hidden item and click Unhide.)

Customizing the Home page

The Home page of the Web Interface site includes a number of items that serve as entry
points to individual sections of the Web Interface. Each item occupies a clickable area on
the Home page, and includes the caption (name of the item), text describing the item and a
picture providing a graphical illustration of the item. Clicking an item displays a page that is
identified by a certain property of the item (this property is referred to as “URL to open”).
You can add, modify, re-arrange, and remove items on the Home page. A point-and-
click interface helps you manage the items, providing flexible options to customize
the Home page.
The changes you make to the Home page affect every user of the Web Interface site. For
example, when you remove an item from the Home page, the item is not displayed to any
user of the Web Interface site.

To customize the Home page

1. On the Home page of the Web Interface site, click Customization.

2. Click Customization Tasks; then, click Customize Home Page in the right pane.
3. In the list of items, click to select the item you want to change, and then use
command buttons to make changes.

The following table provides an overview of changes you can make

Table 2: Home page customization tasks

To Do This

Add an item to the Home page. Click Add. Type a name for the new item and the URL
of the page you want the new item to open. Optionally,

Active Roles 7.5.3 Web Interface Administration Guide

83
Customizing the Web Interface
To Do This

type any text to display in the item area, and change

the picture for the item. Then, click OK.

Change the position of an item Select the item and click the Up or Down arrow button.
on the Home page.

Change the name or Select the item and click Properties. Then, type the
description text of an item. name or description text you want, and click OK.

Change the picture to be Select the item and click Properties. Under the
displayed in the item area. Picture to display label, click Change. Type the path
and name of the picture file, or click Browse to select
and open the picture file. Then, click OK.

Hide an item so that it does not Select the item and click Hide. (To display an item that
appear on the Web Interface is hidden, select the item and click Unhide.)
pages.

By adding a home page item, you can customize the Web Interface to integrate custom
applications together with the Web Interface pages. The Advanced properties section in
the dialog box for managing a home page item provides the Open the URL in a frame
option for this purpose.
With the Open the URL in a frame option, a home page item can be configured to open a
Web application so that the application’s pages are embedded in a standard Web Interface
page. When this option is selected, the page identified by the URL to open property of the
home page item is embedded in a Web Interface page instead of being displayed in place of
the Web Interface page in the Web browser window.
The Advanced properties section also provides the ability to configure a home page item
so that a number of optional parameters are automatically appended to the query string of
the URL when the user clicks the item. This enables the Web Interface to pass certain data
to the Web application associated with the home page item. You can modify parameter
names. The parameter values are generated by the Web Interface when the user clicks the
home page item. The following table summarizes the available parameters.

Table 3: Query string parameters

Parameter Parameter Value

Name

DN Distinguished Name (DN) of the user account of the Web Interface user.
Example:
DN=CN%3dAaron%20Beh%20Santos%2cOU%3dEmployees%2cDC%3d
Domain%2cDC%3dCompany%2cDC%3dCom

Identification DNS name of the Active Directory domain that holds the user account of
Domain the Web Interface user. Example:
IdentificationDomain=domain.company.com

Active Roles 7.5.3 Web Interface Administration Guide

84
Customizing the Web Interface
Parameter Parameter Value
Name

Identification Pre-Windows 2000 name (sAMAccountName) of the user account of the

Account Web Interface user. Example: IdentificationAccount=ASantos

LCID Hex code of the locale identifier specific to the Web Interface language
selected by the Web Interface user. Example: LCID=409

IsDsAdmin “True” or “False” depending on whether or not the Web Interface user is
assigned to the Active Roles Admin role and thus has administrative rights
on Active Roles. Example: IsDsAdmin=False

CurrentLang Locale name specific to the Web Interface language selected by the Web
uage Interface user. Example:
CurrentLanguage=en-US

PortalHomeP URL of the Home page of the Web Interface site you are customizing.
age Example: PortalHomePage=http://Server/ARServerSelfService

TaskID The identifier of the Web Interface command used to open the URL.
Example: TaskID=d8371ae8-1215-40ac-b0c4-391c3225a426

Configuring Web interface for

enhanced security

By default, Web Interface users connect to the Web Interface using an HTTP transport,
which does not encrypt the data transferred from a Web browser to the Web Interface. To
use a secure transport for transferring data to the Web interface, it is recommended to use
an HTTPS transport.
The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided
by the Web server for data encryption. For instructions on how to enable SSL on your Web
server, see https://support.microsoft.com/en-in/help/324069/how-to-set-up-an-https-
service-in-iis.
Any Web interface is prone to security issues such as Cross-Site Request Forgery (CSRF)
and Cross-site Scripting (XSS ) attacks. To prevent and protect against such attacks Active
Roles can now be configured to enable CSRF and XSS for the Web interface.
Cross-Site Request Forgery (CSRF) attacks can force users to execute unwanted actions
on the Active Roles web application in which they are currently authenticated. To prevent
CSRF requests Active Roles must be enabled to use Anti Forgery protections.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are
injected into otherwise benign and trusted websites. Hence, any script that is sent to Active

Active Roles 7.5.3 Web Interface Administration Guide

85
Customizing the Web Interface
Roles must be validated for malicious content before accepting and executing the script. To
perform the script validation XSS must be enabled for Active Roles.

To configure keys in the Web interface

1. From Windows Run, open IIS and Expand Default Website.

2. Click the Active Roles Application.

NOTE: ARWebAdmin is the default Active Roles application.

3. In the right pane, in the Configuration Editor, from the Section drop-down menu,
select <Settings>.
4. Click on the button corresponding (Count=*), and click Add in the right Pane.
5. Enter the following values:
a. Key: "<keyname>"
b. Value: "<value>"
6. Close the window and click Apply under Actions menu in the right pane.
7. Restart the App pool.

Working with Cross-Site Request Forgery for

web interface
Current Active Roles Web Interface uses Anti Forgery protections to prevent Cross-Site
Request Forgery (CSRF) request, by default.
To modify CSRF add the following scripts in web.config | <appSettings> section:
l <add key ="EnableAntiForgery" value="true"/> <!--Key to enable or disable
Antiforgery , Values= true or false -->
l <add key="IgnoreValidation"
value="choosecolumns,savetofile,customizeform,default,2fauth,formmap"/>

Working with Cross-Site Scripting validation

for Web interface
The Cross-Site Scripting (XSS) option allows Active Roles to determine whether a request
contains potentially dangerous content. The current Active Roles Web Interface validates
XSS by default. You can either disable XSS or modify its behavior with the
IgnoreForValidation script.

Active Roles 7.5.3 Web Interface Administration Guide

86
Customizing the Web Interface
To disable XSS in web.config:

1. In the <appSettings> section, set the value of the following script to false:

<add key="EnableRequestValidation" value="false"/>

2. In the <system.web> section, set the key in <pages />:

validateRequest="false"

To modify XSS behavior in web.config:

1. In the <appSettings> section, find the following script:

<add key="IgnoreForValidation"
value="hiddenxml,homepagestruct,txtconditionsforoperationsinreadablefor
m"/>

2. For environments having Lync Server or Skype for Business Server, add the following
to the existing value:

dialplanpolicytextbox,voicepolicytextbox,edsva-lync-
conferencingpolicy,edsva-lync-clientversionpolicy,edsva-lync-
pinpolicy,edsva-lync-externalaccesspolicy,edsva-lync-
archivingpolicy,edsva-lync-locationpolicy,edsva-lync-mobilitypolicy,edsva-
lync-persistentchatpolicy,edsva-lync-clientpolicy

Impact of updating CSRF setting

If you enable the CSRF settings, except the Home page, you can not copy the URLs of any
other page and open them in a new tab or a new window on the browser. You can not open
the bookmarked URLs also.

Active Roles 7.5.3 Web Interface Administration Guide

87
Customizing the Web Interface
 Default Commands

l Web Interface for Administrators

l Web Interface for Help Desk

Web Interface for Administrators

The default configuration of the Web Interface site for Administrators includes the
commands summarized in the following tables.

Domain menu

Table 4: Domain Menu

Command Description

New Organizational Unit Creates an Organizational Unit.

Properties Lets you view or modify properties of a domain.

View Contents Displays a list of objects that reside in a domain.

Change Operational DC Lets you select a domain controller to use.

Change History Lists the changes that were made to a domain.

View or Restore Deleted View or restore objects that were deleted from a domain.
Objects

Container or OU menu

Table 5: Container or OU menu

Command Description

New User Creates a user account in a container or Organizational

Unit.

Active Roles 7.5.3 Web Interface Administration Guide

88
Default Commands
Command Description

New Group Creates a group in a container or Organizational Unit.

New Computer Creates a computer in a container or Organizational Unit.

New Organizational Unit Creates an Organizational Unit in an Organizational Unit.

New Shared Folder Creates a shared folder in an Organizational Unit.

New Contact Creates a contact in a container or Organizational Unit.

New Printer Creates a printer (printQueue) object in a container or

Organizational Unit.

New Room Mailbox Creates a user account associated with a room mailbox in
a container or Organizational Unit.

New Equipment Mailbox Creates a user account associated with an equipment

mailbox in a container or Organizational Unit.

New Linked Mailbox Creates a user account associated with a linked mailbox in
a container or Organizational Unit.

New Shared Mailbox Creates a user account associated with a shared mailbox
in a container or Organizational Unit.

Restore Restores a deleted container or Organizational Unit in a

domain where Active Directory Recycle Bin is enabled.

Delete Deletes a container or Organization Unit.

Move Moves a container or Organization Unit to a different

location.

Rename Renames a container or Organizational Unit.

Change History Lists the changes that were made to a container or

Organizational Unit.

Properties Lets you view or modify properties of a container or

Organizational Unit.

View Contents Displays a list of objects that reside in a container or

Organizational Unit.

View or Restore Deleted View or restore objects that were deleted from a container
Objects or organizational unit.

Managed Unit menu

Active Roles 7.5.3 Web Interface Administration Guide

89
Default Commands
Table 6: Managed Unit menu

Command Description

Members Displays a list of objects that are members of a Managed

Unit.

View or Restore Deleted View or restore deleted objects that were direct members
Objects of a given Managed Unit at the time of deletion.

User menu
Table 7: User Menu

Command Description

Deprovisioning Results On a deprovisioned user account, lets you examine the

changes that were made to the account by the
deprovisioning policies.

Undo Deprovisioning On a deprovisioned user account, rolls back the changes

that were made to the account by the deprovisioning
policies.

Disable Account / Enable Disables a user account, or enables a disabled user

Account account.

Reset Password Resets the password for a user account.

Delete Deletes a user account.

Restore Restores a deleted user account in a domain where Active

Directory Recycle Bin is enabled.

Deprovision Performs all actions on a user account that are prescribed

by the deprovisioning policies.

Move Moves a user account to a different location.

Copy Copies a user account.

Rename Renames a user account.

Member Of Lets you add or remove a user account from groups.

Change History Lists the changes that were made to a user account.

User Activity Lists the changes that were made by a user account.

General Properties Lets you view or modify general properties of a user

account.

Managed Resources Lets you view objects for which a given user is assigned as
the manager (primary owner) or a secondary owner.

Active Roles 7.5.3 Web Interface Administration Guide

90
Default Commands
Command Description

Exchange Properties Lets you view or modify Exchange-related properties of a

user account.

Terminal Services Properties Lets you view or modify Terminal Services-related

properties of a user account.

Dial-in Properties Lets you view or modify dial-in properties of a user

account.

Name Mappings Lets you add, edit, or remove certificates and Kerberos
names to user accounts. This functionality is similar to the
ADUC Name Mappings functionality that allows you to add
certificates and Kerberos names to users .

Create User Mailbox Creates a user mailbox associated with an existing user
account.

Create Room Mailbox Creates a room mailbox associated with an existing user
account.

Create Equipment Mailbox Creates an equipment mailbox associated with an existing

user account.

Create Linked Mailbox Creates a linked mailbox associated with an existing user
account.

Create Shared Mailbox Creates a shared mailbox associated with an existing user
account.

Move Mailbox Moves a mailbox.

Delete Mailbox Deletes a mailbox.

Establish E-mail Address Establishes an e-mail address for a user account.

Delete E-mail Address Deletes an e-mail address for a user account.

Remove Exchange Removes all Exchange attributes from a user account.

Attributes

Group menu

Table 8: Group menu

Command Description

Deprovisioning Results On a deprovisioned group, lets you examine the changes

that were made to the group by the deprovisioning

Active Roles 7.5.3 Web Interface Administration Guide

91
Default Commands
Command Description

policies.

Undo Deprovisioning On a deprovisioned group, rolls back the changes that

were made to the group by the deprovisioning policies.

Members Lets you view or modify the list of members of a group.

To view the total number of members of a group:

1. In the Web Interface, select the group, and then

choose the Members option from the navigation
bar.
The Members page displays the number of members
in the group.
2. Select Show indirect members and Show
pending members check boxes.
The Members page displays the number of members
including the indirect members and pending
members in the group.

Member Of Lets you add or remove a group from another group or

groups.

Controlled Groups On a group that stores the configuration of a Group

Family, this command lets you view the groups controlled
by that Group Family.

Restore Restores a deleted group in a domain where Active

Directory Recycle Bin is enabled.

Delete Deletes a group.

Deprovision Performs all actions on a group that are prescribed by the

deprovisioning policies.

Move Moves a group to a different location.

Copy Copies a group.

Rename Renames a group.

Change History Lists the changes that were made to a group.

General Properties Lets you view or modify general properties of a group.

Exchange Properties Lets you view or modify Exchange-related properties of a

group.

Establish E-mail Address Establishes an e-mail address for a group.

Delete E-mail Address Deletes an e-mail address for a group.

Active Roles 7.5.3 Web Interface Administration Guide

92
Default Commands
Command Description

Hide Membership / Unhide Hides / displays the members of a group in the Global
Membership Address List.

Remove Exchange Removes all Exchange attributes from a group.

Attributes

Computer menu

Table 9: Computer menu

Command Description

Enable Account / Disable Disables or enables a computer account.

Account

Reset Account Resets a computer account.

Restore Restores a deleted computer account in a domain where

Active Directory Recycle Bin is enabled.

Delete Deletes a computer account.

Move Moves a computer account to a different location.

Restart Lets you restart the computer represented by a computer

account.

Manage Lets you managed computer resources, such as printers,

services, devices, shares, local users, and local groups.

Member Of Lets you add or remove a computer account from groups.

Change History Lists the changes that were made to a computer account.

Properties Lets you view or modify properties of a computer account.

Web Interface for Help Desk

The default configuration of the Web Interface site for Help Desk includes the commands
summarized in the following tables.

Active Roles 7.5.3 Web Interface Administration Guide

93
Default Commands
Domain menu

Table 10: Domain menu

Command Description

View Contents Displays a list of objects that reside in a domain.

Change Operational DC Lets you select a domain controller to use.

Container or OU menu

Table 11: Container or OU menu

Command Description

View Contents Displays a list of objects that reside in a container or

Organizational Unit.

Change History Lists the changes that were made to a container or

Organizational Unit.

Managed Unit menu

Table 12: Managed Unit menu

Command Description

Members Displays a list of objects that are members of a Managed

Unit.

User menu

Active Roles 7.5.3 Web Interface Administration Guide

94
Default Commands
Table 13: User menu

Command Description

Deprovisioning Results On a deprovisioned user account, lets you examine the

changes that were made to the account by the
deprovisioning policies.

Undo Deprovisioning On a deprovisioned user account, rolls back the changes

that were made to the account by the deprovisioning
policies.

Disable Account / Enable Disables a user account, or enables a disabled user

Account account.

Reset Password Resets the password for a user account.

Deprovision Performs all actions on a user account that are prescribed

by the deprovisioning policies.

Member Of Lets you add or remove a user account from groups.

Change History Lists the changes that were made to a user account.

General Properties Lets you view or modify general properties of a user

account.

Managed Resources Lets you view objects for which a given user is assigned as
the manager (primary owner) or a secondary owner.

Group menu

Table 14: Group menu

Command Description

Deprovisioning Results On a deprovisioned group, lets you examine the changes

that were made to the group by the deprovisioning
policies.

Undo Deprovisioning On a deprovisioned group, rolls back the changes that

were made to the group by the deprovisioning policies.

Members Lets you view or modify the list of members of a group.

Member Of Lets you add or remove a group from another group or

groups.

Deprovision Performs all actions on a group that are prescribed by the

deprovisioning policies.

General Properties Lets you view or modify general properties of a group.

Active Roles 7.5.3 Web Interface Administration Guide

95
Default Commands
Active Roles 7.5.3 Web Interface Administration Guide
96
Default Commands
 About us

About us

One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.

Contacting us
For sales and other inquiries, such as licensing, support, and renewals, visit
https://www.oneidentity.com/company/contact-us.aspx.

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l Submit and manage a Service Request
l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to videos at www.YouTube.com/OneIdentity
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product

Active Roles 7.5.3 Web Interface Administration Guide

97
About us