Active Roles User Provisioning

Dear All,

1. How does ARS provision users from ARS to AD. I mean what scripts does it run or what method does it run when a user click on submit button for user creation.

2. How does ARS decide, in a domain which AD should it provision the objects (users and groups).

Thanks,

Biswajeet

Parents
  • If you are using the Active Roles Web UI to create an object, the Admin Service will react to your request based on whatever provisioning policies you have implemented / linked to the OU where the object is being created.  As Jacob noted, by default, this is the Domain & OU where you initiated the "New User" command from.  You don't need to setup a provisioning policy for the location of new objects unless you want to.  Provisioning polices are sets of rules that you configure to be applied at object edit and/or creation time.  These can consist of built-in policies (user logon name generation is an example) or script policies (really, anything you can implement with Powershell).  Under the covers, the AR admin service supports the execution of rules before and after creation (as it makes sense).

    Some customers want to control where users can be created.

    A simple way to achieve this is to delegate the creation of users objects via Active Roles only in specific OUs (via Access Templates).

    A more complex approach (which I have done a few times) is to actually present a dropdown list of possible locations in the Web UI.  A simple way to achieve this is to create a virtual attribute (for example edsvaNewUserTargetOU) and statically define in a property value generation rule (contained in a provisioning policy) a list of acceptable OUs.  The user then selects an OU from the list.  (You would add this new field to the user creation wizard in the Web UI using the customize feature).  In this case, you would link this provisioning policy to all OUs where you are allowing user creation.

    In the background, you would have an Active Roles change workflow "catch" the creation action (start condition for the workflow = user create) and redirect the action to the selected location by this bit of Powershell in a script activity in the Workflow:

    Function ChangeTargetOU ($Request)

    {

    # Grab the selected OU name from the in-process transaction

    $TargetOU = $Request.Get("edsvaNewTargetOU")

    # Re-direct the creation to that location

    $Request.ChangeParentDN ($TargetOU )

    }

    Sorry for the long answer.  Slight smile

  • Thanks for the response,

    But i am not talking here about the OU here. We can always select the OU rom MMC or web UI. Suppose you have a domain test.com. In that domain you have multiple ADs like A.test.com, b.test.com. 

    Now how does ARS determine, in that domain which AD should it create the User.

    Thanks

  • Each and every domain in your environment, same forest/multiple forests - it doesn't matter, are always added as an independent Managed Domain in Active Roles. Adding a forest root domain to Active Roles as a Managed Domain, does not automatically add the child domains in that forest in Active Roles as Managed Domains. Just like ADUC, if connecting to a forest root domain, the child domains are not listed in a hierarchical fashion.

    If you are talking about manual object creation, then creating a user in the Employees OU in domain b.test.com, is as simple as you indicated, by expanding that Managed Domain in Active Roles and selecting the Employees OU.

Reply
  • Each and every domain in your environment, same forest/multiple forests - it doesn't matter, are always added as an independent Managed Domain in Active Roles. Adding a forest root domain to Active Roles as a Managed Domain, does not automatically add the child domains in that forest in Active Roles as Managed Domains. Just like ADUC, if connecting to a forest root domain, the child domains are not listed in a hierarchical fashion.

    If you are talking about manual object creation, then creating a user in the Employees OU in domain b.test.com, is as simple as you indicated, by expanding that Managed Domain in Active Roles and selecting the Employees OU.

Children