Sometimes we want users to be able to do things on their own. It makes sense in a lot of cases for, as I like to say, IT be the car and not the driver. We build this, we set everything up, but we're really not the ones who control certain pieces of information. We want the end users themselves to be able to do that.
So we built into Active Roles what we call the self service piece. In this case, for example, I'm going to allow the user to manage certain pieces of their AD object themselves. Here I am just logged in as a regular user. And you'll notice that I've set it up so that I can read a whole bunch of data. And what this means is I've given myself read access over the data inside of Active Roles. I can see my name, all kinds of information. Everything here is grayed out. I can't make any changes to it.
But if I go over here, I can change a few things. I've told it to allow me to change the home phone number, the pager number, and the mobile number. And I also have a policy in here that requires that they be in the correct format.
I've even allowed them to update their picture. So if they want to add a picture to Active Directory, then they could click on here, choose a picture, and that would then put it in Active Directory and upload it into AD, which would in turn upload it to Azure AD as well, if you have that set up.
I could do anything else I wanted, as well. I'm just doing some fairly simple stuff. I don't necessarily want my users maintaining a lot of information about themselves. But there are certain things I'm perfectly comfortable having them do on their own without the help desk having to do it.
Oh, and by the way, nothing would preclude me from adding in a workflow to approve it. I had a customer once who wanted to have HR review every single picture that went in. So what would happen is somebody would change their picture. And as soon as that happened, the workflow would fire off. It would go to a group in HR. Somebody from HR would pick that up. They would approve it, and then it would go in Active Directory at that point.
HR didn't have to have any formal training on how to do that other than how to use a web interface. Pretty simple and straight forward.
The other half of the self-service web interface is the approval process. What you'll notice here is that-- you can see I have a request that's actually awaiting my approval. If I click over here on Approvals, I can see that, oh, yeah, I have a request here to remove a particular user from a group. So remove this user called Test User from a group called Sensitive Account Group. And you can see the reason is they don't need to be part of this anymore. I know that that's fine, so I'm going to go ahead and click Approve.
And it's now gone ahead and made that change. I can also look at other tasks that have been completed by me. And you can see I've used this user quite a few times for different things, just to do different tests. But I can see everything that's happened, and I can see all the approvals that are waiting for me. I can also see approvals that are pending, meaning that I have something that needs to happen. And someone else has to approve it. I'd be able to see it here, as well. So the approval piece is quite powerful in terms of letting me see what I've done and what someone else needs to do for me as well.
03:15
