ActiveRoles Web Interface Administration Guide
ActiveRoles Web Interface Administration Guide
Introduction 8
Getting Started 15
Configuring the Web browser 15
Configuring Google Chrome 16
Configuring Mozilla Firefox 16
Connecting to the Web Interface 17
Changing personal settings 17
Logging out of the Web Interface 18
Default Commands 88
Web Interface for Administrators 88
Domain menu 88
Container or OU menu 88
Managed Unit menu 89
User menu 90
Group menu 91
Computer menu 93
Web Interface for Help Desk 93
Domain menu 94
Container or OU menu 94
About us 97
Contacting us 97
Technical support resources 97
The Active Roles Web Interface Administration Guide is for individuals who are responsible
for deploying and tailoring the Web Interface to suit the needs of their organization. This
document provides a brief overview of the Web Interface, explains the customization
capabilities, and provides instructions on how to customize the Web Interface and perform
administrative tasks.
When creating a new Web Interface site, you have the option to apply the configuration of
an existing Web Interface site to the newly created one. If you have the Web Interface site
tailored to suit your needs, and need to deploy its instance on another Web server, this
option ensures that the new Web Interface site has the same set of menus, commands and
pages as the existing one.
When initially configured, the Web Interface has three Web Interface sites each of which is
based on a default configuration templates. you can modify the Web server-related
parameters, such as the Web application alias, for these Web Interface sites, or delete Web
Interface sites. You can also create additional Web Interface sites.
Each Web Interface site can be accessed from a Web browser using the address based the
Web application alias:
http://<WebSite>/<Alias>
Here, <WebSite> identifies the IIS Web site containing the Web application that
implements the Web Interface site and <Alias> stands for the alias of that Web application,
as specified in Configuration Center. For example, if the Web application is contained in the
default Web site, the address is http://<Computer>/<Alias>, where <Computer> stands
for the network name of the computer (Web server) running the Web Interface.
By default, Web Interface users connect to the Web Interface using a HTTPs transport,
which encrypts the data transferred from a Web browser to the Web Interface. In case you
do not a secure transport for transferring data to the Web interface, you can disable the
HTTPs option using the Configuration Center.
The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided
by the Web server for data encryption. For instructions on how to enable SSL on your Web
server, see https://support.microsoft.com/en-in/help/324069/how-to-set-up-an-https-
service-in-iis.
If SSL is enabled, users specify an HTTPS prefix rather than an HTTP prefix when
connecting to the Web Interface.
One more situation that may require the use of an earlier configuration version is when you
need to restore the configuration of a Web Interface site from a backup. Configuration
Center allows you to export configuration to a file. The export file is a backup from which
the configuration can be restored if necessary. You can import the configuration from an
export file created by the current Active Roles version or by an earlier version.
1. On the Configuration page of the wizard for creating or modifying a Web Interface
site in Configuration Center, select the Import from a file option.
2. In Configuration name, type a name for the new configuration that will be created
by importing data from the export file, or accept the default name.
3. From the File to import field, select the export file.
Earlier Active Roles versions exported site configuration data to an export package (a
collection of export files) rather than a single export file. You can use Configuration Center
to import configuration from an export package: Click the Browse button next to the File
to import filed, navigate to the folder containing the export package files, and select
the .txt file that identifies the export package.
1. Click the Chrome menu button on the browser toolbar, and then click Settings.
2. On the Settings page, click Show advanced settings, and then click the Content
settings button in the Privacy section.
3. In the Content settings dialog box, do the following:
a. Make sure that the Allow local data to be set option is selected
under Cookies.
b. Make sure that the Allow all sites to run JavaScript option is selected under
JavaScript.
c. When finished, click Done.
For example, to connect to the default site for administrators, you might type
http://server/ARWebAdmin where server stands for the name of the Web server
running the Web Interface.
Active Roles saves these settings on a per-user basis in the configuration of the Web
Interface site. Once saved, the personal settings take effect regardless of which computer
is used to access the Web Interface. The user can have different personal settings for
different Web Interface sites.
1. Click the Settings (gear) icon in the upper right corner of the Web Interface window.
2. Configure the settings as needed.
3. Click Save for the changes to take effect.
The Log out command closes the current Web Interface session and deletes all the
session-related data from the local computer.
Not logging out may pose a security risk (for example, if the user accesses the Web
Interface from a public computer). In such a case, the Web Interface can forcibly terminate
the session due to user inactivity.
The Web Interface provides an inactivity timeout, ensuring that the session is not terminate
unexpectedly. The administrator can specify the amount of continuous idle time that must
pass in a Web Interface session before a message box pops up to prompt the user for an
action. If the user does not respond to the prompt, the session is forcibly terminated after
an additional grace period.
NOTE:
l For more information on extending the Active Roles provisioning and account
administration capabilities to your cloud applications, click the supported
connectors in the What's New section from the Active Roles drop-down list.
l On the title bar of the Active Roles Web Interface, click Feedback to provide a
product feedback. You are redirected to a new browser that allows you to provide
the feedback.
Directory Management
Directory Management allows you to browse for, and administer, directory objects in
your organization. Your Active Roles permissions determine which tasks you can perform.
Directory Management provides the following views:
l Active Directory Lists Active Directory domains managed by Active Roles,
allowing you to navigate through containers in those domains. You can view, filter
and select objects held in the container, and apply commands to the selected
object or container.
l Managed Units Lists Managed Units defined in Active Roles, allowing you to view
objects, and navigate through containers, held in Managed Units. You can filter and
select objects, and apply commands to the selected object or container.
For information on how to administer Active Directory objects, see Managing Active
Directory objects later in this document.
Search
Search provides a flexible, query-based mechanism that helps locate directory objects
quickly and without browsing through the directory tree. You can select containers in the
directory, and build a query by specifying search criteria. The Web Interface searches in the
selected containers and all of their subcontainers, and lists the objects that match your
search criteria. When the objects you target are returned as the results of a search query,
you can then perform the necessary administrative tasks.
You can also save the queries that you build and use them again at a later time. The Web
Interface saves queries as your personal views, with each view consisting of the containers
and search criteria that you select, as well as the customized sorting and column
information that you specify.
For instructions on how to perform a search, see Searching for directory objects later in
this document.
Approval
Approval provides you with the tools for performing tasks related to approval workflow.
You can use these tools to complete approval tasks assigned to you as an Approver, and to
Settings
By using Settings, you can specify:
l The language of the Web Interface pages.
l The maximum number of objects displayed in single-page lists.
l The maximum number of list items displayed on a single page in multi-page lists.
l The maximum number of links to pages displayed for multi-page lists.
l Maximum time in minutes, for which the notification is to be visible.
l Maximum number of notifications to be stored in Active Roles.
You can also enable Show objects owned by inheritance or secondary ownership.
Selecting this check box allows Self-Administration Web Interface users to view objects in
My Managed Resources even if the user is not assigned to the objects as the primary
owner (manager), but as a secondary or inherited owner.
Settings are saved on a per-user basis in the configuration of the Web Interface site. For
more information, see Changing personal settings.
Customization
Customization allows you to tailor the Web Interface to suit the specific needs of your
organization. The Customization item is only displayed if you are logged on as Active
Roles Admin. The Active Roles Admin account is specified upon configuration of the Active
Roles Administration Service.
Customization includes the following tasks:
l Directory Objects Modify menus, commands, and forms for administering
directory objects. View or change global settings, such as the logo image and
color scheme.
l Restore Default Restore the original (default) menus, commands, and forms,
discarding all previous customizations.
l Reload Put into effect the menus, commands, and forms that you have customized.
The customization settings determine the configuration of the Web Interface site for
all users.
For more information and instructions on how to customize the Web Interface, see
“Customizing the Web Interface” in the Active Roles Web Interface Administration Guide.
Navigation bar
Located on the left side of the page, the Navigation bar provides the first level of navigation
for most of the tasks you can perform in the Web Interface. The Navigation bar is organized
by Web Interface areas, and includes the following items:
l Home Go to the Web Interface home page.
l Directory Management Browse for, and administer, directory objects in your
organization.
l Search Search for, and administer, directory objects in your organization.
l Customization Customize Web Interface pages. Available to Active Roles
Admin only.
l Approval Perform the tasks relating to approval of administrative operations.
l Settings View or change your personal settings that control the display of the
Web Interface.
l Help Find Help topics and other helpful resources for the Web Interface.
Browse pane
Located next to the Navigation bar, the Browse pane lists the built-in views and personal
views, and allows you to access the tree view:
l Built-in views provide entry points to browsing for objects in the directory. Personal
views are filter or search queries you build and save to use them again at a later
time. To see built-in views and personal views, click the Views tab at the top of the
Browse Pane.
l The tree view helps you browse for directory objects by using the directory tree to
navigate through the hierarchical structure of containers. To see the tree view, click
the Tree tab at the top of the Browse Pane.
List of objects
When you select a container or view in the Browse pane, you’ll see a list of objects. If you
select a container, the list includes the objects held in that container. If you select a view,
the list includes the objects that match the view settings. It is also possible to customize
the list by sorting and filtering, and by adding or removing list columns.
You can select objects from the list and apply commands to the selected object or objects.
When you click the name of a container object, such as a domain or an organizational unit,
the list changes to display the objects held in that container, thereby enabling you to
browse through containers in the directory.
Toolbar
The Toolbar contains a number of controls allowing you to manage the current list
of objects:
l Click the Menu button on the left side of the Toolbar to save the current list as a
personal view, add or remove list columns, or export the list to a text file.
l Type in the Filter field and then click the button next to that field to have the list
include only those objects whose naming properties match what you typed.
l Click the Expand/Collapse button on the right side of the Toolbar to configure filtering
criteria based on object properties. To have the list include only the objects that
match your filtering criteria, click the button next to the Filter field.
Command pane
Located to the right of the list of objects, the Command pane provides commands you
can apply to objects you select from the list as well as commands you can apply to the
current container:
l If no objects are selected in the list, the menu includes only the commands that apply
to the current container. These commands are grouped under a heading that shows
the name of the current container.
l If a single object is selected in the list, the commands that apply to the selected
object are added in the top of the menu, under a heading that shows the name of the
selected object.
l If multiple objects are selected from the list, the commands that apply to all of the
selected objects are added in the top of the menu, under a heading that shows the
number of the selected objects.
Summary pane
When you select an object from the list, information about that object is displayed in the
Summary pane under the list of objects. The information includes some commonly used
properties of the object, and depends upon the object type. For example, user properties
provide more detailed information about a user account, such as the logon name, e-mail
address, description, job title, department, expiration date, and the date and time that the
account was last changed. If you don’t see the Summary pane, click in the area beneath
the list of objects.
The property page consists of several tabs. Each tab provides a number of data entries
allowing you to view or change certain properties of the directory object. Click a tab to
access the data entries on that tab. To apply the changes you have made in the data
entries, click the Save button.
Active Roles Admin can use the Customize link in the upper right corner of the page to add
or remove data entries or entire tabs from the property page. The Customize link is not
displayed unless you are logged on as a member of the Active Roles Admin account, which
specified in the configuration settings of the Active Roles Administration Service.
You can also sort the list by other columns. Click a column heading to change the sort
order. For instructions on how to add or remove columns, see Adding or removing columns
from the list of objects later in this document.
After you have applied a filter, the list includes only the objects that match the filter. For
example, you can type a few characters in the Filter field on the Toolbar and then press
Enter to view only the objects whose name starts with the characters you typed.
1. Click the Menu button on the left side of the Toolbar, and then click Choose
columns.
2. To add a column for a certain property, click the name of the property in the Hidden
columns list and then click the right arrow button to move the property to the
Displayed columns list.
3. To remove a column for a certain property, click the name of the property in the
Displayed columns list and then click the left arrow button to move the property to
the Hidden columns list.
You can reorder list columns by moving list items up and down in the Displayed columns
list: Click the name of the property in the list and then click the up arrow button or the
down arrow button next to the list.
1. Click the Search in box on the Toolbar, and then select the container that you want
to search. You can select more than one container.
The Web Interface will search in the selected container and all of its subcontainers.
2. Specify criteria for the objects that you want to find:
l To search by naming properties, type in the Search field on the Toolbar. The
Web Interface will search for objects whose naming properties match what you
typed. The naming properties include name, first name, last name, display
name, and logon name.
l To search by other properties, click the button on the right side of the Toolbar
to expand the Toolbar, click Add criteria, choose the properties by which you
want to search, click Add, and then configure the criteria as appropriate. The
Web Interface will search for objects that match the criteria that you
configured.
3. Press Enter to start the search.
The search results are listed on the Search page. You can customize the list by adding or
removing list columns and sorting the list by column data. To add or remove list columns,
click the Menu button on the left side of the Toolbar and then click Choose columns (see
also Adding or removing columns from the list of objects earlier in this document). To sort
the list by column data, click column headings.
IMPORTANT: The scope of filtering is always set to the current container, and
does not include any subcontainers of that container. Filtering is essentially a
search for objects held in a given container only. If you want to search the
current container and all of its subcontainers, click Search under this
container in the Command pane, and then configure and perform a search as
described in Searching for directory objects earlier in this document.
2. Specify how you want to filter the objects held in the container:
l To filter objects by naming properties, type in the Filter field on the Toolbar and
then press Enter or click the button next to the Filter field. The list of objects
will include only the objects whose naming properties match what you typed.
The naming properties include name, first name, last name, display name, and
logon name.
l To filter objects by other properties, click the button on the right side of the
Toolbar to expand the Toolbar, click Add criteria, choose the properties by
which you want to filter, click Add, and then configure the criteria as
appropriate. The list of objects will include only the objects that match the
criteria you configured.
3. To apply the filter, press Enter or click the button next to the Filter field on
the Toolbar.
When a filter is applied to a container, the Web Interface lists a subset of all objects held in
that container. You can remove the filter to view all objects: If you did not add criteria,
clear the Filter field on the Toolbar and then press Enter; otherwise, expand the Toolbar,
click Clear all, and then press Enter.
1. In your Web browser, go to the address (URL) of the Web Interface site for self-
administration.
By default, the address is http://<server>/ARWebSelfService where <server>
stands for the name of the server running the Web Interface.
It’s up to the Active Roles administrator to determine what information you are authorized
to view or modify on the User Profile Editor page. Some fields on the page might not be
editable. The fields that you are not permitted to modify appear on the page as read-only
text. The properties that you are not permitted to view are not displayed on the User
Profile Editor page.
When you perform a management tasks, the Web Interface supplements and restricts your
input based on policies and permissions defined in Active Roles. The Web Interface displays
the data generated by policies, and prevents the input of data that would cause policy
violations. The following rules apply:
l If a policy requires that a value be specified for a particular property, the name of the
field for that property is marked with an asterisk (*).
Batch operations
In the Web Interface, you can select multiple objects (such as users, groups and
computers), and then apply a certain command to your selection of objects. This allows you
to perform a batch operation on all the selected objects at a time instead of executing the
command on each object separately. The Web Interface supports the following batch
operations:
l Delete Allows you to delete multiple objects at a time.
l Deprovision Allows you to deprovision multiple users or groups at a time.
l Move Allows you to move a batch of objects to a different organizational unit
or container.
l Add to groups Allows you to add a batch of objects to one or more groups of
your choice.
l Update object attributes Allows you to perform bulk attributes operations on
multiple users at a time.
l Reset Password Allows you to reset the password for multiple users at a time.
Batch operations are available in the list of objects on the following Web Interface pages:
l Search This page lists the search results when you perform a search.
l View Contents This page displays the objects held in a given organizational unit,
Managed Unit, or container.
To perform a batch operation, select the check box next to the name of each of the desired
objects in the list, and then click a command in the top area of the Command pane. This
executes the command on each object within your selection.
1. Locate the user account you want to enable. For instructions on how to locate objects
in the Web Interface, see Locating directory objects earlier in this document.
2. In the list of objects, select the user account you want to enable.
3. In the Command pane, click Enable Account.
NOTE: If the user account is not disabled, the Command pane includes the Disable
Account command instead of the Enable Account command.
1. In the Web Interface locate and select the user account. For instructions on how
to locate objects in the Web Interface, see Locating directory objects earlier in
this document.
2. In the Command pane, click Member Of.
3. On the Member Of page that appears, click Add.
4. On the Select Object page that appears, perform a search to locate the group. For
instructions on how to configure and start a search, see Searching for directory
objects earlier in this document.
5. In the list of search results on the Select Object page, select the group to which you
want to add the selected user account, and then click Add.
The Web Interface prompts you for parameter values if the workflow has any parameters
that need to be supplied by the user running the workflow on demand. If the workflow has
no parameters that require user input, then the Web Interface starts the workflow without
prompting you for parameter values.
Once you have started an automation workflow, the Web Interface opens a run history
report allowing you to examine the progress of workflow execution. The report displays the
workflow execution status along with information about the activities performed during
workflow run. For a workflow that is in progress you have the option to cancel execution of
the workflow by clicking the Terminate button.
After the workflow is completed, the report retains history information about the workflow
run. For each completed run of the workflow, the report allows you to identify when and by
whom the workflow was started, when the workflow was completed, and what parameter
values were used.
The report also lists the workflow activities that were executed during the workflow run. For
each activity, you can determine whether the activity was completed successfully or
returned an error. In case of error, the report provides an error description. For activities
requesting changes to directory data (for example, activities that create new objects or
modify existing objects), you can examine the requested changes in detail by clicking the
Operation ID number in the run history report.
1. In the Web Interface, select the group, and then choose the Members command.
2. On the Members page, click Add.
3. In the Select Object dialog box find and select the objects that you want to make
temporal members of the group, and then click Temporary Access.
4. In the Temporal Membership Settings dialog box, choose the appropriate
options, and then click OK:
l To have the temporal members added to the group on a certain date in the
future, select On this date under Add to the group, and choose the date and
time you want.
l To have the temporal members added to the group at once, select Now under
Add to the group.
l To have the temporal members removed from the group on a certain date,
select On this date under Remove from the group, and choose the date
and time you want.
l To retain the temporal members in the group for indefinite time, select Never
under Remove from the group.
NOTE: You can make an object a temporal member of particular groups by
managing the object rather than the groups. Select the object, and then choose the
Member Of command. On the Member Of page, click Add. In the Select Object
dialog box, find and select the groups, and specify the temporal membership
settings as appropriate for your situation.
1. In the Web Interface, select the group, and then choose the Members command.
2. Review the list on the Members page:
l An icon of a small clock overlays the icon for the temporal members.
l If the Show pending members check box is selected, the list also includes
the temporal members that are not yet added to the group.
The list of group memberships for a particular object makes it possible to distinguish
between the groups in which the object is a regular member and the groups in which the
object is a temporal member. It is also possible to hide or display so-called pending group
memberships, the groups to which the object is scheduled to be added in the future.
1. In the Web Interface, select the object, and then choose the Member Of command.
2. Review the list on the Member Of page:
l An icon of a small clock overlays the icon for the groups in which the object is a
temporal member.
l If the Show pending group memberships check box is selected, the
list also includes the groups to which the object is scheduled to be added
in the future.
1. In the Web Interface, select the group, and then choose the Members command.
2. In the list on the Members page, select the member and then click the Temporary
Access button.
3. Use the Temporal Membership Settings dialog box to view or modify the start or
end time settings.
The Temporal Membership Settings dialog box provides the following options:
l Add to the group | Now Indicates that the object should be added to the
group at once.
l Add to the group | On this date Indicates the date and time when the object
should be added to the group.
l Remove from the group | Never Indicates that the object should not be removed
from the group.
l Remove from the group | On this date Indicates the date and time when the
object should be removed from the group.
Regular members have the Add to group and Remove from group options set to
Already added and Never, respectively. You can set a particular date for any of these
options in order to convert a regular member to a temporal member.
NOTE:
l You can view or modify the start time and end time settings by managing an object
rather than the groups in which that object has memberships. select the object,
and then choose the Member Of command. On the Member Of page, select the
group for which you want to manage the object’s start or end time setting and click
Temporary Access.
l On the Members or Member Of page, you can change the start or end time
setting for multiple members or groups at a time. On the page, select multiple list
items, click Temporary Access, and then, in the Temporal Membership
Settings dialog box, make the changes you want.
1. In the Web Interface, select the group, and then choose the Members command.
2. On the Members page, select the member, and click Remove.
1. In the list of objects, select the object that represents the directory data you
want to manage.
2. Use commands in the Command pane to perform management tasks.
1. In the Web Interface, locate the computer that hosts resources you want to manage.
For instructions on how to locate objects in the Web Interface, see Locating directory
objects earlier in this document.
2. Select the computer in the list of objects, and then click Manage in the
Command pane.
3. In the list of resource types, click the type of resource you want to manage.
4. In the list of objects that appears, select the resource you want to manage.
5. Use commands in the Command pane to perform management tasks on the
selected resource.
1. Repeat Steps 1–2 of the previous procedure, to start managing computer resources.
2. In the list of resource types, click Printers to view a list of printers found on the
computer you selected.
3. In the list of printers, select a printer whose print jobs you want to manage.
4. In the Command pane, click Print Jobs to view a list of documents being printed.
1. On the Tree tab in the Browse pane, click the Deleted Objects container.
2. In the Command pane, click Search under this container.
The Web Interface lists the objects that were deleted from the OU or MU you selected. The
list can be sorted or filtered as appropriate to locate particular objects (see Managing the
list of objects earlier in this document).
NOTE: The View or Restore Deleted Objects command is also available on domain
and container objects.
1. In a list of deleted objects, select the object you want to undelete. For instructions on
how to build a list deleted objects, see Locating deleted objects.
2. In the Command pane, click Restore.
3. Review and, if necessary, change the settings in the Restore Object dialog box, and
then click OK to start the restore process.
The Restore Object dialog box prompts you to choose whether the deleted child objects
(descendants) of the deleted object should also be restored. The Restore child objects
The Approval area provides a way to perform change approval actions, allowing you to
control changes to directory data that require your approval and monitor your operations
that require approval by other persons. You can use the Approval area to:
l Perform approval tasks—approve or reject operations so as to allow or deny the
requested changes to directory data. Examples of operations include (but not limited
to) creation and modification of user accounts or groups.
l Check the status of your operations—examine whether the changes to directory data
you requested are approved and applied, or rejected.
When a Web Interface user makes changes to directory data that require permission from
other individuals in an organization, the changes are not applied immediately. Instead, an
operation is initiated and submitted for approval. This starts a workflow that coordinates
the approvals needed to complete the operation. The operation is performed and the
requested changes are applied only after approval. An operation may require approval from
one person or from multiple persons.
When an operation is submitted for approval, Active Roles tracks the initiator and the
approver or approvers. The initiator is the person who requested the changes. Approvers
are those who are authorized to allow or deny the changes. An operation that requires
approval generates one or more approval tasks, with each approval task assigned to the
In addition to using the predefined views, you can locate operations and tasks by using the
search function.
1. In the right pane of the Web Interface page, under the Search label, type the ID
number of the operation or task in the Search by ID box.
2. Click the button next to the Search by ID box to start the search.
You can also search for approval items (operations and tasks) by properties other than
ID. For instance, you can find the operations that were initiated by a specific user.
Another example is the ability to locate approval tasks generated within a specific time
period. To access the advanced search function, click Advanced Search under the
Search label. Then, use the Advanced Search page to configure your search settings
and start a search.
Advanced search is the most comprehensive way to search for approval items such as
operations and tasks. Use it to find approval items based on their properties. You do this by
creating queries, which are sets of one or more rules that must be true for an item to be
found. An example of a query for operations is “Initiator is (exactly) John Smith.” This
specifies that you are searching for operations that have the Initiator property set to John
Smith’s use account.
With advanced search, you can use conditions and values to search for approval items
based on item properties (referred to as “fields” on the search page). Conditions are
Pending tasks
The Pending view contains a list of your approval tasks to be completed. Each task in the
list is identified by a header area that provides basic information about the task such as a
unique ID number of the task, who requested the operation that is subject to approval,
when the task was created, the time limit of the task (if any), and the target object of the
operation. In the middle of a task’s header area is a section that contains the title of the
task (Approve operation by default), a label indicating the status of the task, and
summary information about the operation that is subject to approval.
The task’s header area contains the action buttons you can use to apply the appropriate
resolution to the approval task. The action buttons are displayed at the bottom of the
header area. Which buttons are displayed depends upon configuration of the approval rule.
You may encounter the following action buttons there:
The task’s header area contains the Examine task button allowing you to get detailed
information about the task, review the object properties submitted for approval, and
supply or change additional properties. Clicking the Examine task button displays a
page containing a replica of the task’s header area, the action buttons, and a number
of information sections. Review the information on the page, supply or change the
object properties for which the task requests your input, and then click the appropriate
action button.
The page that appears when you click the Examine task button includes the following
information sections:
l Object properties
The contents of this section heavily depends upon configuration of the approval rule.
Thus the approval rule may request you to enter additional information that must be
added to the operation request. For example, when you approve the operation of
creating a user account, you may have to supply certain properties of the user
account in addition to those supplied by the administrator who requested creation of
You can also complete a task by clicking the appropriate action button in the task’s header
area. However, if the current policy and approval rules require the approver to supply some
additional information, the Web Interface would open the Object properties page,
prompting you to configure the required properties.
Completed tasks
The Completed view contains a list of your approval tasks that are completed and do not
require approver action. Each task in the list is identified by a header area that provides
basic information about the task such as a unique ID number of the task, who requested
the operation that is subject to approval, when the task was created, and the target object
of the operation. In the middle of a task’s header area is a section that contains the title of
the task (Approve operation by default), a label indicating the status of the task, and
summary information about the operation that was subject to approval. The header area
also identifies the approver action that was applied to complete the task and the completion
reason, if any, specified by the approver who completed the task.
l Introduction
l Terminology
l Configuring menus
l Configuring commands
l Configuring forms
l Examples
l Global settings
l Customizing the Navigation bar
l Customizing the Home page
l Configuring Web interface for enhanced security
Introduction
The Web Interface gives Active Roles administrators the ability to customize menus,
commands, and forms that are used for managing directory objects. Active Roles
administrators can add and remove commands or entire menus, assign tasks and
forms to commands, modify forms used to perform tasks, and create new commands,
tasks, and forms.
NOTE: The Active Roles administrators are members of the Active Roles Admin
account, specified during configuration of the Active Roles Administration Service. By
default, the Active Roles Admin account is the Administrators local group on the
computer running the Administration Service.
Before you start customizing the Web Interface, you should consider the following:
l The customization settings are saved as part of the Active Roles configuration. When
you customize a Web Interface site, your changes are in effect on all the other Web
Interface sites that share the configuration you are changing.
l After you have performed any customization of a Web Interface site, you must
publish the new configuration to the Web server. To do this, open the Web Interface
site in your Web browser, expand Customization on the Navigation bar, and then
click Reload. This operation must be performed on each of the Web Interface sites
that share configuration with the site you have customized.
l The Reload command causes the Web Interface to retrieve the new configuration
data from the Administration Service and update the local copy of the configuration
data on the Web server that hosts the Web Interface site. When configuration data
changes because of any customization-related actions the changes have no effect on
Terminology
This section briefly describes the items involved in customization of the Web Interface—
menus, commands, forms, tabs, and entries. The following figure shows the items you
can customize.
Figure 2: Terminology
Menu
A menu represents a set of commands (directives) associated with objects of a certain
type, and used to manage those objects. Examples: the User menu, the Group menu, the
Contact menu.
Command
A command is an instruction that, when issued by a user, causes an action to be carried
out. Web Interface users select commands from a menu in the Command pane. Some
examples of commands are New User on the Organizational Unit menu, General
Properties on the User menu and Members on the Group menu.
Each command is intended to perform a certain task, such as displaying property pages.
You can customize pages associated with a command.
Form
A form is a structured page with predefined areas for entering and changing information. A
form consists of elements such as text boxes, check boxes, option buttons, and command
buttons. Form elements allow users to perform actions, make choices, and identify and
enter information. A form is a set of pages (tabs) associated with a command that requires
data entry. You can customize a form by adding or removing tabs and entries.
Tabs
Since an object normally has a large number of properties, it may be necessary to
categorize and group properties within a form. A tab represents a group of properties
located on a separate page, such as General, Address or Account on the Properties
form for User objects. By clicking tabs, you can access pages to view or modify properties.
You can add or remove tabs from a form, and change the order of tabs.
Entry
An entry is a group of elements on a form that are intended to view or modify a
property of an object. For example, the First name entry is used to manage the value
of the givenName property. You can add or remove entries from a form, and change
the order of entries.
The Form Editor displays all tabs that make up a form, along with the entries disposed on
each tab, and provides a central place to add, remove, or modify tabs and entries, as well
as to change the order of tabs and entries on the form. The main elements of the Form
Editor are as follows.
Focus item
Focus item identifies the object you are customizing. A list of menus, a menu, a command,
a form, a tab and an entry are the examples of focus items. To identify a focus item, the
Web Interface displays the name of the item and an icon indicating the type of the item.
Toolbar
You can use the toolbar to make changes to the form. The toolbar includes the
following buttons:
l Move Up Moves the selected items up one level in the list.
l Move Down Moves the selected items one level lower in the list.
l Delete Removes the selected items.
l New Tab Adds a tab to the form.
l Add Entry Adds an entry to the tab.
Tab
Click a tab to view or modify entries on that tab. You can change the order of tabs by
selecting check boxes next to tab names, and then clicking Move Up or Move Down on
the toolbar. You can also view or modify properties of a tab by clicking the Edit icon next to
the name of the tab.
Configuring menus
For each object type, such as User, Group or Computer, the Command pane displays a
menu that represents a list of commands associated with that object type. You can
customize a menu by adding or removing commands. Use the following instructions to
manage menus in the Web Interface.
The List Existing Menus page displays a list of menus. You can click the name of a menu
in the list to view a list of commands included in the menu.
Creating a menu
To create a menu
Deleting a menu
To delete a menu
1. On the List Existing Menus page, click the name of the menu you want to delete.
2. In the right pane, click Delete Menu.
3. Click Reload to publish your changes.
1. On the List Existing Menus page, click the name of the menu to which want to add
the command.
2. In the right pane, click Create New Command.
3. In the Command type list, click one of the following:
l Form Task Create a command to open a form.
l Page View Task Create a command to open a custom page.
l Search Task Create a command to perform a search.
l Set Attribute Task Create a command to assign a certain value to a certain
attribute of directory objects.
4. Click Next.
5. Specify general properties of the command, such as the command name and
description.
6. Specify command properties specific to the type of the command:
l If you have selected Page View Task, specify the address (URL) of the
resource, such as a Web page, that you want the command to open.
l If you have selected Search Task, specify the parameters of the search you
want the command to perform. You can also set up the configuration of the list
of search results.
l If you have selected Set Attribute Task, choose the attribute you want the
command to set and specify the value you want the command to assign to
that attribute.
7. Click Finish.
8. Click Reload to publish your changes.
1. On the List Existing Menus page, click the name of the menu to which want to add
the command.
2. In the right pane, click Add Existing Command.
3. In the list of existing commands, click the command you want to add to the menu.
The list includes commands that exist in the configuration of the Web Interface site.
Note that the list also includes the commands that were deleted from menus, so you
can use the Add Existing Command function to restore a command on a menu.
4. Click Save.
5. Click Reload to publish your changes.
1. On the List Existing Menus page, click the name of the menu from which want to
remove commands.
2. In the list of commands, select check boxes to mark the commands you want
to remove.
3. On the toolbar at the top of the list, click Delete.
4. Click Reload to publish your changes.
NOTE: The Web Interface runs the default command for an object when the user
clicks the name of that object in a list. For example, since View Contents is set as
the default command for container objects, the Web Interface lists the objects held in
the container when you click the name of a container in a list of objects.
1. On the List Existing Menus page, click the name of the menu you want to modify.
2. In the right pane, click Add Separator.
This adds the <Separator> item to the list of menu commands.
3. Adjust the position of the separator on the menu: Select the check box next to the
separator in the list of commands and then click Move Up or Move Down on the
toolbar at the top of the list.
4. Click Reload to publish your changes.
NOTE:
l Separators are used to group related commands on a menu, to make the menu
easier to read.
l If necessary, you can remove separators: In the list of commands, select check
boxes to mark the separators you want to remove, and then click Delete on the
toolbar at the top of the list.
1. On the List Existing Menus page, click the name of the menu you want to modify.
2. In the list of commands, select check boxes to mark the commands you want
to move.
3. Click Move Up or Move Down on the toolbar at the top of the list.
4. Click Reload to publish your changes.
Configuring commands
Each command on a menu is intended to perform a certain task, such as displaying
property pages for a directory object, searching for objects that meet certain conditions or
assigning a certain value to a certain attribute of a directory object. You can select a
command, and customize its action or associated pages.
1. In the list of menus on the List Existing Menus page, click the name of the menu
that includes the desired command.
2. In the list of commands found on the menu, click the name of the desired command.
3. Modify the properties of the command, if needed, and click Save.
4. Click Reload to publish your changes.
You can also associate a command with a form that already exists in the configuration of
the Web Interface site.
The list of existing forms includes only the forms that are applicable to the object type the
command is intended for. For example, when you select a command from the menu for the
User object type, the list only includes the forms that are applicable to User objects.
NOTE:
l Instead of linking a different form to a command, you can modify the form that
is already associated with the command.
l If necessary, you can configure a command so as to have no form associated
with it: in the list on the Link with Existing Form page, click <no assigned
form>, and then click Save.
Properties of a command
Every command has a number of properties that determine behavior of the command. The
command properties vary depending upon the command type:
l Form Task This command type is intended to display forms. When you click a
command of this type, the Web Interface opens the form that is associated with that
command. Then, depending on the type of the form, you can view or change the data
shown on the form for an existing object or enter data on the form for creating a new
object. The identifier of the form is part of the command properties (see Form Task
properties).
All commands have common properties, such as the name and description. In addition,
each command has a number of properties determined by the command type.
Common properties
A command of any type has the following properties:
l Name The text that labels the command on the menu. This text is what Web
Interface users view in the Command pane.
l Description Any text to help identify the command in a list of commands. An
administrator can view this text in addition to the command name when selecting a
command to add, remove, or modify.
l ToolTip The text that is displayed when the mouse pointer is positioned over the
command in the Command pane.
l Command Type The type of the command is specified when the command is
created, and cannot be changed.
Base DN
The Base DN property specifies the distinguished name of the container where to begin
the search. The search is performed only on this container and objects that exist below it in
the directory tree. This property can be set to one of the following:
l Currently selected object When the user clicks the command on the menu for a
given object, the Web Interface uses the distinguished name of that object as the
Based DN property. For example, suppose the command is on the menu for the
organizational unit object type. When the user selects an organizational unit and
clicks the command, the Web Interface searches the selected organizational unit.
l This DN The command causes the Web Interface to search the object that has the
specified distinguished name, regardless of what object is actually selected. For
example, suppose the command is on the menu for the user object type, and the
Base DN property is explicitly set to the distinguished name of a certain
organizational unit. In this case, when a user account is selected in the Web
Interface, the command appears on the menu and clicking the command begins the
search in that organizational unit.
Search filters
The Search filters property specifies a search filter string in LDAP format. This part of the
LDAP search syntax makes it possible to search for specific objects based on object
attributes. Set up a filter string in accordance with LDAP syntax rules. The default filter
string is “(objectClass=*)”, which retrieves all objects. Another example is
“(objectClass=user)”, which causes the search to retrieve only user accounts.
When configuring a filter string, follow these guidelines:
l The string must be enclosed in parentheses.
l Expressions can use the relational operators: <, <=, =, >=, and >. An example is
“(objectClass=user)” or “(givenName=Adam)”.
l Compound expressions are formed with the prefix operators & and |. An example is
(&(objectClass=user)(givenName=Adam)).
For more information about the filter string format, see the “Search Filter Syntax” topic in
the MSDN Library (http://go.microsoft.com/fwlink/?LinkID=111710).
Search scope
l The Search scope property specifies the depth of the search. The options for this
property are:
l Base This option limits the search to the object specified by the Base DN property
(base object). The search returns either one object or no objects, depending upon
the search filter.
l One-level This option restricts the search to the immediate children of the base
object, but excludes the base object itself. The search returns the immediate child
objects that match the search filter.
l Subtree With this option, the search filter is applied to the base object as well as to
all objects that exists below it in the directory tree. The search returns all child
objects that match the search filter. If the base object matches the filter, the base
object is also included in the search results.
l Attribute scope query by this attribute With this option, the command searches
in a certain attribute of the base object (target attribute). The target attribute is
identified by the LDAP display name specified as part of this option, and must be an
attribute that stores distinguished names, such as the “member” or “managedBy”
attribute. The search is performed against the objects that are identified by the
distinguished names found in the target attribute. For example, if the base object is a
group and the “member” attribute is specified as the target, then the search will be
performed against all objects that are members of the group, and will return the
members of the group that match the search filter.
Sort by
The Sort by property specifies the attribute based on which the list of search results should
be sorted, to group similar attribute values together in an easy-to-read list. Type the LDAP
display name of any attribute that is listed in the Displayed attributes property.
1. In the Customization section of the Web Interface, select the command that you
want to configure.
2. Click the Visibility tab on the page for managing the properties of the command.
3. Select the option to set up visibility conditions.
4. To set up property-related conditions, click Configure.
5. Do the following:
l To add a condition, select a property, type in a value, and click Add
Requirement.
l To remove a condition, select it from the list and click Remove.
l When finished, click OK.
When you select a property and supply a value, either a new condition is added to the
list or the supplied value is added to the existing condition that is based on the
selected property. The latter occurs if the property is already in the list of the
property-related conditions. This allows you to configure a condition that evaluates to
True if the property has any one of the values specified. If only one value is supplied
for a particular condition, then the condition evaluates to True if the property has
exactly the value specified.
Configuring forms
A form is a set of pages associated with a command that requires data entry. You can
customize a form by adding or removing entries.
1. On the Web Interface home page, click Customization, and then click
Customization Tasks.
- OR -
On the Navigation bar, expand Customization, and then click Directory Objects.
2. In the list of menus, click the menu that contains the command linked with the form
you want to configure.
3. In the list of commands, click the command that is linked with the form you want
to configure.
4. In the right pane, click Edit Form.
If no form is linked with the command you selected, the right pane does not contain
the Edit Form command.
NOTE: Another way to open a form in the Form Editor is to navigate to the Web
Interface page that you want to configure and then click the Customize link.
1. Open the form in the Form Editor and select check boxes next to the tabs you
want to delete.
NOTE: In this way, you can change the name of the tab.
1. In the Form Editor, click the Edit icon next to the name of the tab you want
to configure.
2. Click Visibility on the page for managing the properties of the tab.
3. Select the option to set up visibility conditions.
4. To set up property-related conditions, click Configure.
5. Do the following:
l To add a condition, select a property, type in a value, and click Add
Requirement.
l To remove a condition, select it from the list and click Remove.
l When finished, click OK.
When you select a property and supply a value, either a new condition is added to the
list or the supplied value is added to the existing condition that is based on the
selected property. The latter occurs if the property is already in the list of the
property-related conditions. This allows you to configure a condition that evaluates to
True if the property has any one of the values specified. If only one value is supplied
for a particular condition, then the condition evaluates to True if the property has
exactly the value specified.
6. To set up access-related conditions, do the following:
l If you want to add a condition, click Add, select a certain property, and
click OK.
l If you want to remove a condition, select it from the list and click Remove.
When you select a property and click OK, a new condition is added that evaluates to
True if the user has sufficient rights in Active Roles to make changes to that property
of the object selected by the user in the Web Interface.
7. Click Save.
8. Click Reload to publish your changes.
1. Open the form in the Form Editor and click the tab to which you want to add
the entry.
2. On the toolbar in the Form Editor, point to Add Entry and click Select.
3. In the list of entries, select check boxes next to the names of the entries to add.
4. Click Finish. Then, click Reload to publish your changes.
You may need to scroll down the list of entries in order to access the Finish button.
The list for selecting an entry contains the following information about each entry:
l Entry name The name of the entry.
l Managed property The attribute or attributes that are managed by using this
entry. The attributes are identified by LDAP display name.
l Forms that use this entry The entry is added to each of the listed forms. The
forms are identified by name. Clicking the name of a form opens the form in the
Form Editor.
l Entry type This can be one of the following:
l Auto An entry that was created by using the Form Editor.
l Custom A predefined entry that came with the Web Interface, or an entry that
was created by using tools other than the Form Editor (for example, by
implementing and deploying custom code).
l Naming An entry for managing a naming attribute, such as the “name”
attribute. Setting a naming attribute requires some additional steps, which are
not necessary with other attributes. The entries of this type are normally
predefined and installed with the Web Interface.
When selecting an existing entry, consider the type of the entry. Entries of different type
can have the same name and the same managed property. Since the behavior of an entry
depends upon the type of the entry, selecting an entry of inappropriate type can cause
incorrect results. Thus, selecting an Auto entry instead of a Custom entry will normally
result in the loss of the features that the Custom entry provides in addition to, or instead
of, the default features of the Auto entry. For more information, see Type of entry later in
this document.
1. Open the form in the Form Editor and click the tab to which you want to add
static text.
2. On the toolbar in the Form Editor, point to Add Entry and click Text area.
3. In the Text to display box, supply the text you want to be displayed on the tab.
4. Click Finish. Then, click Reload to publish your changes.
These steps add an entry named Text area in the Form Editor. You can select the check
box next to the Text area name and use the Move Up and Move Down buttons on the
toolbar to change the position of the text area. To change the text displayed by the text
area, click the Edit icon next to the Text area name. When you are done, click Save and
then click Reload to publish your changes.
1. Open the form in the Form Editor and click the tab from which you want to
delete entries.
2. In the list of entries, select check boxes to mark the entries you want to delete.
3. On the toolbar in the Form Editor, click Delete.
4. Once the entries are deleted from the form, click Reload to publish your changes.
NOTE: The changes made to an entry are applied to the entry on every form contain-
ing the entry.
The properties of an entry that you can view or modify include the following (for
more information, see Type of entry and Entry for an attribute of DN syntax later in
this document):
Type of entry
The Web Interface provides for these types of entry:
l Auto Default entries. This type is assigned to the entries created using the
Form Editor.
l Custom Predefined entries that come with the Web Interface and use custom
processing logic, or entries added by implementing and deploying custom code.
l Naming Entries for managing so-called naming attributes, such as the “name”
attribute. Setting a naming attribute requires some additional steps, as compared
with other attributes. The entries of this type are normally predefined and installed
with the Web Interface.
For each entry, certain logic is implemented that governs how to process the values of the
managed attribute. When retrieving an attribute from the directory, the entry uses that
logic to represent the attribute value in the appropriate format. When applying changes to
an attribute value, the entry relies on that logic to transform the changes, if necessary, to
meet the requirements imposed by the directory.
When you create an entry using the Form Editor, default processing logic is applied based
on the syntax of the managed attribute according to the directory schema. Such default
entries are referred to as Auto entries in the Web Interface.
For each of the syntaxes that are defined in Active Directory, certain default logic is defined
in the Web Interface and applied to every Auto entry for managing any attribute of the
respective syntax. Thus, an auto entry for an attribute of Boolean syntax takes the form of
a check box. An auto entry for an attribute of String (Unicode) syntax is merely an edit box.
Default processing logic may not be suitable for all attributes. A typical example is
userAccountControl.
In Active Directory, the userAccountControl attribute values are stored as integers, so the
Auto entry for that attribute takes the form of an edit box that displays the integer value
retrieved from the directory. This representation of attribute values is not helpful because a
value of the userAccountControl attribute is, in fact, a 4-byte (32-bit) data structure that
contains flags for configuring some user account settings, such as the flag that controls
whether a user account is enabled or disabled.
A value of userAccountControl is a type of integer wherein each bit in the numeric value
represents a unique setting. This type of integer is called a bit field. Because each bit in a
bit field represents a different setting, simply examining the integer value as a whole
number is of little use. You must examine the individual bit that corresponds to the setting
you are interested in viewing or changing.
To help identify which bit to check in the userAccountControl value, the Web Interface
provides a predefined entry that uses custom logic to represent each bit as a separate
check box. The entries like this one, which use processing logic differing from default
processing logic, are called Custom entries in the Web Interface (as opposed to the Auto
entries that rely on default processing logic).
In the Web Interface, a lot of predefined custom entries are available out of the box. Each
of the predefined custom entries, like the custom entry for the userAccountControl
attribute, is designed to manage a single attribute or a group of related attributes in accord
with the intended meaning of the attribute or attributes rather than only based on the
syntax of attribute values. If necessary, new custom entries can be added that use any
suitable processing logic. For more information and instructions, see the Active Roles SDK.
You can configure the list to display values of other attributes: open the Properties page
for the entry (see Managing properties of an entry earlier in this document), and click the
Advanced tab. Then, modify the list of names in the Columns box as required. You can
type LDAP display names of attributes in the Columns box, separating them by commas,
or you can click the button next to the Columns box and select attributes. The list provided
by the entry will include one column per each attribute you specify, with each column
showing the values of the respective attribute.
A DN entry provides the ability to make changes to the managed attribute, that is, to add or
remove DN values from the attribute. For this purpose, a DN entry supplements the list of
objects with the Add and Remove controls. The Remove control deletes list entries,
consequently removing the respective DN values from the managed attribute. The Add
control uses the Select Object dialog box for selecting objects. The entries representing
the selected objects are then added to the list, with the DN of each object being eventually
appended to the values in the managed attribute.
It is possible to customize the Select Object dialog box that is used by the Add control
in a DN entry. For this purpose, a DN entry provides a number of options. These options
can be found on the Advanced tab of the Properties page for a DN entry (for
instructions on how to access the Properties page, see Managing properties of an entry
earlier in this document):
l Populate list view when the dialog box opens When turned off, this option
prevents a delay in opening the Select Object dialog box. Since populating the list
view in the dialog box implies running a query against the directory service (which
may be a lengthy operation), the ability to open the dialog box without initially
populating the list view increases responsiveness of the user interface. The user can
type and check object names in the dialog box instead of selecting objects from the
list. Alternatively, the user can manually start populating the list view by clicking a
link in the Select Object dialog box.
l Display the “Find in” field When turned on, this option enables the users to view
the Find in setting. With this option turned off, the Find in setting is not displayed in
the Select Object dialog box.
l Allow user to change the “Find in” setting This option prevents the default
Find in setting from being modified by the user. With this option turned off, the Find
in setting cannot be changed in the Select Object dialog box.
Examples
This section discusses the following customization scenarios:
l Deleting the New Shared Folder command from the Container menu
l Adding the Telephone number entry to the form for creating user accounts
To delete the command from the menu for Container object type
1. Open your Web browser and connect to the Web Interface for Administrators.
2. On the Navigation bar, expand Customization and then click Directory Objects.
3. In the Menu for column, click Container.
4. In the list of commands, select the check box next to the New Shared
Folder command.
5. On the toolbar, click Delete. Then, click OK to confirm the deletion.
6. Click Reload to publish your changes.
1. Open your Web browser and connect to the Web Interface for Administrators.
2. On the Navigation bar, expand Customization and then click Directory Objects.
3. In the Menu column, click Container.
When you modify the New User command on the Container menu, the command is
also modified on the Domain and Organizational Unit menus.
If the administrator changes any of the above settings, the new settings affect any user
who connects to the Web Interface site after the changes are applied.
The following settings are applied for all Web Interface users by default, and can be
overridden on a per-user basis (a Web Interface user can choose different settings without
affecting the other users):
l User interface language Choose the language for the Web Interface pages. Your
selection determines the language of menus and dialogs, messages, and help pages.
l Maximum number of objects to display in search results Specify the
maximum number of objects that can be displayed in single-page lists, such as lists
of search results or lists that show contents of containers. Use this option carefully as
displaying a large number of objects may cause performance degradation.
l Number of items to display per page in paged lists Specify the maximum
number of list items that can be displayed on a single page in multi-page lists. This
If the administrator changes any of the above settings, the new settings normally affect the
users who connect to the Web Interface site for the first time. The changes to the global
settings of this category do not affect the Web Interface users whose user profiles already
contain user-specific, personal settings of the same category. For example, if a user has
already selected the preferred language, changing the user interface language in Global
Settings has no effect on that user.
1. Log on as Active Roles Admin, and connect to the Web Interface site you want
to customize.
2. On the Navigation bar (on the left side of the Web Interface page), click
Customization.
3. On the Customization page, click Global Settings.
4. Use the Global Settings page to view or modify the settings.
5. When finished, click Save.
6. Click Reload for your changes to take effect for all users of the Web Interface site
you are customizing.
1. Open the Web Interface site in your Web browser, click Customization on the
Navigation bar, and then click Global Settings.
2. In the Product logo image area, view or change the image that is used to identify
the product:
l To use a different image, click Change and select a graphic file containing the
image you want.
l To revert to the standard image, click Restore Default.
3. In the Hyperlink on the product logo image area, view or change the address
(URL) of the Web page that opens when the user clicks the product logo image:
l To use a different address, type the address in the edit box.
l To remove the hyperlink from the product logo image, clear the edit box.
l To revert to the standard address, click Restore Default.
4. In the Company logo image area, view or change the image that is used to identify
the company:
l To use a different image, click Change and select a graphic file containing the
image you want.
l To revert to the standard image, click Restore Default.
5. In the Hyperlink on the company logo image area, view or change the address
(URL) of the Web page that opens when the user clicks the company logo image:
l To use a different address, type the address in the edit box.
l To remove the hyperlink from the company logo image, clear the edit box.
l To revert to the standard address, click Restore Default.
6. Click Save.
7. Click Reload to publish your changes.
1. Open the Web Interface site in your Web browser, click Customization on the
Navigation bar, and then click Global Settings.
2. In the Web Interface site icon area, click Change and supply the ICO file
containing the desired icon.
3. Click Save, and then click Reload for the changes to take effect.
You can revert to the default icon by clicking Restore Default in the Web Interface site
icon area. To apply your changes, click Save and then click Reload.
To select a user property for the presentation of the Web Interface user
1. Open the Web Interface site in your Web browser, click Customization on the
Navigation bar, and then click Global Settings.
2. Under Logged-on user name format, click the Change button, and then select
the user property you want.
3. Click Save, and then click Reload for the changes to take effect.
To identify which property is currently used for the presentation of the Web Interface user,
point to the user name under Logged-on user name format and review the tooltip that
appears. Thus, under default conditions, the tooltip reads “The 'Display Name' property is
used as the name of the logged-on user in the Web Interface. Click 'Change' to use a
different property.”
To Do This
Add an item to the Navigation Click the Menu Bar entry, and then click Add. Type a
bar. name for the new item and the URL of the page you
want the new item to open. Then, click OK.
Add an item to a menu group. Click the item that the menu group is associated with,
and then click Add. Type a name for the entry, and the
URL of the page you want the new item to open or the
name of the script function (command) you want the
item to execute. Then, click Add.
Change the position of an item Select the item and click the Up or Down arrow
on the Navigation bar or within button.
a menu group.
Change the name of an item. Select the item and click Properties. Then, type the
name you want, and click OK.
Move an item to the Navigation Select the item and click Move. Then, click the Menu
bar. Bar entry. Adjust the position of the item as needed by
Move an item to a menu group. Select the item and click Move. Then, click the item
that the destination menu group is associated with.
Adjust the position of the item as needed by clicking
arrow buttons and then click OK. (This also moves the
entire menu group, if any, associated with the item
being moved.)
Hide an item so that it does not Select the item and click Hide. (To display an item that
appear on the Navigation bar. is hidden, select the hidden item and click Unhide.)
To Do This
Add an item to the Home page. Click Add. Type a name for the new item and the URL
of the page you want the new item to open. Optionally,
Change the position of an item Select the item and click the Up or Down arrow button.
on the Home page.
Change the name or Select the item and click Properties. Then, type the
description text of an item. name or description text you want, and click OK.
Change the picture to be Select the item and click Properties. Under the
displayed in the item area. Picture to display label, click Change. Type the path
and name of the picture file, or click Browse to select
and open the picture file. Then, click OK.
Hide an item so that it does not Select the item and click Hide. (To display an item that
appear on the Web Interface is hidden, select the item and click Unhide.)
pages.
By adding a home page item, you can customize the Web Interface to integrate custom
applications together with the Web Interface pages. The Advanced properties section in
the dialog box for managing a home page item provides the Open the URL in a frame
option for this purpose.
With the Open the URL in a frame option, a home page item can be configured to open a
Web application so that the application’s pages are embedded in a standard Web Interface
page. When this option is selected, the page identified by the URL to open property of the
home page item is embedded in a Web Interface page instead of being displayed in place of
the Web Interface page in the Web browser window.
The Advanced properties section also provides the ability to configure a home page item
so that a number of optional parameters are automatically appended to the query string of
the URL when the user clicks the item. This enables the Web Interface to pass certain data
to the Web application associated with the home page item. You can modify parameter
names. The parameter values are generated by the Web Interface when the user clicks the
home page item. The following table summarizes the available parameters.
DN Distinguished Name (DN) of the user account of the Web Interface user.
Example:
DN=CN%3dAaron%20Beh%20Santos%2cOU%3dEmployees%2cDC%3d
Domain%2cDC%3dCompany%2cDC%3dCom
Identification DNS name of the Active Directory domain that holds the user account of
Domain the Web Interface user. Example:
IdentificationDomain=domain.company.com
LCID Hex code of the locale identifier specific to the Web Interface language
selected by the Web Interface user. Example: LCID=409
IsDsAdmin “True” or “False” depending on whether or not the Web Interface user is
assigned to the Active Roles Admin role and thus has administrative rights
on Active Roles. Example: IsDsAdmin=False
CurrentLang Locale name specific to the Web Interface language selected by the Web
uage Interface user. Example:
CurrentLanguage=en-US
PortalHomeP URL of the Home page of the Web Interface site you are customizing.
age Example: PortalHomePage=http://Server/ARServerSelfService
TaskID The identifier of the Web Interface command used to open the URL.
Example: TaskID=d8371ae8-1215-40ac-b0c4-391c3225a426
By default, Web Interface users connect to the Web Interface using an HTTP transport,
which does not encrypt the data transferred from a Web browser to the Web Interface. To
use a secure transport for transferring data to the Web interface, it is recommended to use
an HTTPS transport.
The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided
by the Web server for data encryption. For instructions on how to enable SSL on your Web
server, see https://support.microsoft.com/en-in/help/324069/how-to-set-up-an-https-
service-in-iis.
Any Web interface is prone to security issues such as Cross-Site Request Forgery (CSRF)
and Cross-site Scripting (XSS ) attacks. To prevent and protect against such attacks Active
Roles can now be configured to enable CSRF and XSS for the Web interface.
Cross-Site Request Forgery (CSRF) attacks can force users to execute unwanted actions
on the Active Roles web application in which they are currently authenticated. To prevent
CSRF requests Active Roles must be enabled to use Anti Forgery protections.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are
injected into otherwise benign and trusted websites. Hence, any script that is sent to Active
3. In the right pane, in the Configuration Editor, from the Section drop-down menu,
select <Settings>.
4. Click on the button corresponding (Count=*), and click Add in the right Pane.
5. Enter the following values:
a. Key: "<keyname>"
b. Value: "<value>"
6. Close the window and click Apply under Actions menu in the right pane.
7. Restart the App pool.
1. In the <appSettings> section, set the value of the following script to false:
validateRequest="false"
<add key="IgnoreForValidation"
value="hiddenxml,homepagestruct,txtconditionsforoperationsinreadablefor
m"/>
2. For environments having Lync Server or Skype for Business Server, add the following
to the existing value:
dialplanpolicytextbox,voicepolicytextbox,edsva-lync-
conferencingpolicy,edsva-lync-clientversionpolicy,edsva-lync-
pinpolicy,edsva-lync-externalaccesspolicy,edsva-lync-
archivingpolicy,edsva-lync-locationpolicy,edsva-lync-mobilitypolicy,edsva-
lync-persistentchatpolicy,edsva-lync-clientpolicy
Domain menu
Command Description
View or Restore Deleted View or restore objects that were deleted from a domain.
Objects
Container or OU menu
Command Description
New Room Mailbox Creates a user account associated with a room mailbox in
a container or Organizational Unit.
New Linked Mailbox Creates a user account associated with a linked mailbox in
a container or Organizational Unit.
New Shared Mailbox Creates a user account associated with a shared mailbox
in a container or Organizational Unit.
View or Restore Deleted View or restore objects that were deleted from a container
Objects or organizational unit.
Command Description
View or Restore Deleted View or restore deleted objects that were direct members
Objects of a given Managed Unit at the time of deletion.
User menu
Table 7: User Menu
Command Description
Change History Lists the changes that were made to a user account.
User Activity Lists the changes that were made by a user account.
Managed Resources Lets you view objects for which a given user is assigned as
the manager (primary owner) or a secondary owner.
Name Mappings Lets you add, edit, or remove certificates and Kerberos
names to user accounts. This functionality is similar to the
ADUC Name Mappings functionality that allows you to add
certificates and Kerberos names to users .
Create User Mailbox Creates a user mailbox associated with an existing user
account.
Create Room Mailbox Creates a room mailbox associated with an existing user
account.
Create Linked Mailbox Creates a linked mailbox associated with an existing user
account.
Create Shared Mailbox Creates a shared mailbox associated with an existing user
account.
Group menu
Command Description
policies.
Hide Membership / Unhide Hides / displays the members of a group in the Global
Membership Address List.
Computer menu
Command Description
Change History Lists the changes that were made to a computer account.
Command Description
Container or OU menu
Command Description
Command Description
User menu
Command Description
Change History Lists the changes that were made to a user account.
Managed Resources Lets you view objects for which a given user is assigned as
the manager (primary owner) or a secondary owner.
Group menu
Command Description
About us
One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.
Contacting us
For sales and other inquiries, such as licensing, support, and renewals, visit
https://www.oneidentity.com/company/contact-us.aspx.