ActiveRoles_WebInterfaceConfigurationGuide
Uploaded by
s26708807ActiveRoles_WebInterfaceConfigurationGuide
Uploaded by
s26708807Active Roles 8.1.
Web Interface Configuration Guide
Copyright 2023 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this
guide is furnished under a software license or nondisclosure agreement. This software may be used
or copied only in accordance with the terms of the applicable agreement. No part of this guide may
be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose other than the purchaser’s personal use without the
written permission of One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes
no representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity does not make any commitment to update the information
contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office
information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal/trademark-information.aspx. All other trademarks are
the property of their respective owners.
Legend
WARNING: A WARNING icon highlights a potential risk of bodily injury or property
damage, for which industry-standard safety precautions are advised. This icon is
often associated with electrical hazards related to hardware.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data
if instructions are not followed.
Active Roles Web Interface Configuration Guide
Updated - 20 July 2023, 14:37
For the most recent documents and product information, see Online product documentation.
Contents
Introduction to the Web Interface 1
Deploying the Web Interface 2
About the Web Interface 4
Default Web Interface sites 5
Creating, modifying or deleting a Web Interface site 6
Creating or modifying a Web Interface site from an existing configuration 8
Getting started with the Web Interface 10
Configuring the web browser to access the Web Interface 12
Configuring Google Chrome 12
Configuring Mozilla Firefox 12
Connecting to the Web Interface 13
Changing personal settings in the Web Interface 14
Logging out of the Web Interface 15
Web Interface Basics 16
Web Interface administrative tasks overview 16
Directory Management 17
Search 17
Approval 18
Settings 18
Customization 18
User interface overview 19
Navigation bar 19
Browse pane 20
List of objects 20
Toolbar 20
Current container 21
Command pane 21
Summary pane 21
Object property pages 22
Notification and Feedback 22
Active Roles 8.1.3 Web Interface Configuration Guide
3
Managing the list of objects 22
Sorting and filtering the list of objects 22
Adding or removing columns from the list of objects 23
Locating directory objects 24
Searching for directory objects 24
Example: Searching by object type 25
Filtering the contents of a container 25
Example: Filtering by object type 26
Using personal views 26
Creating a personal view 27
Changing a personal view 27
Performing Management Tasks 29
Managing your personal account 29
Managing Active Directory objects 30
Batch operations 31
Example 1: Enabling a user account 32
Example 2: Adding a user to a group 32
Running an automation workflow 32
Managing temporal group memberships 34
Adding temporal members 34
Viewing temporal members 35
Rescheduling temporal group memberships 35
Removing temporal members 36
Managing AD LDS data 37
Managing computer resources 38
Restoring deleted objects 39
Locating deleted objects 39
Searching the Deleted Objects container 39
Locating objects deleted from a certain OU or MU 40
Restoring a deleted object 40
Using Approval Workflow 42
Understanding approval workflow 42
Locating approval items 43
Using “My Tasks” 44
Active Roles 8.1.3 Web Interface Configuration Guide
4
Pending tasks 45
Completed tasks 47
Using “My Operations” 48
Customizing the Web Interface 49
About Web Interface customization 49
Web Interface customization terms 50
Menu 51
Command 51
Form 52
Tabs 52
Entry 52
Link to Form Editor 52
Focus item 53
Form Editor Toolbar 53
List of entries 54
Form Editor Tab 54
Configuring Web Interface menus 54
Creating a Web Interface menu 54
Deleting a Web Interface menu 55
Adding a command to a Web Interface menu 55
Removing commands from a Web Interface menu 56
Setting the default command on a Web Interface menu 57
Adding a separator to a Web Interface menu 57
Changing the order of commands on a Web Interface menu 58
Configuring Web Interface forms 58
Viewing or modifying the properties of a Web Interface form 59
Adding a tab to a Web Interface form 60
Deleting tabs from a Web Interface form 60
Viewing or modifying the properties of a Web Interface tab 61
Configuring the visibility options of a Web Interface tab 61
Adding an entry to a Web Interface form 63
Adding static text to a Web Interface form 64
Deleting entries from a Web Interface form 64
Viewing or modifying a Web Interface entry 65
Type of Web Interface entries 66
Active Roles 8.1.3 Web Interface Configuration Guide
5
Entry for an attribute of DN syntax 67
Configuring Web Interface commands 69
Viewing or modifying the properties of a Web Interface command 70
Creating or selecting a Web Interface form for a command 70
Properties of a Web Interface command 71
Command visibility options 75
Web Interface customization examples 76
Deleting a command from a Web Interface menu 77
Adding an entry to a Web Interface form 77
Web Interface global settings 78
Customizing the Web Interface logo image 81
Customizing the Web Interface site icon 82
Customizing the user name to show on the Web Interface 83
Customizing the Web Interface Navigation bar 83
Customizing the Web Interface Home page 85
Configuring Web Interface for enhanced security 87
Modifying Cross-Site Request Forgery for Web Interface 88
Disabling or modifying Cross-Site Scripting validation for Web Interface 88
Default Commands 91
Default commands on the Web Interface Administrator Site 91
Domain menu 91
Container or OU menu 92
Managed Unit menu 93
User menu 93
Group menu 95
Computer menu 96
Default commands on the Web Interface Helpdesk Site 97
Domain menu 97
Container or OU menu 97
Managed Unit menu 97
User menu 98
Group menu 98
About us 100
Contacting us 101
Active Roles 8.1.3 Web Interface Configuration Guide
6
Technical support resources 102
Glossary 103
Index 105
Active Roles 8.1.3 Web Interface Configuration Guide
7
1
Introduction to the Web Interface
The Active Roles Web Interface Configuration Guide describes how to deploy and customize
the Active Roles Web Interface for your organization. This document:
l Provides a brief overview of the Web Interface.
l Describes the available customization capabilities.
l Provides instructions on how to customize the Web Interface and perform
administrative tasks.
Active Roles 8.1.3 Web Interface Configuration Guide
1
Introduction to the Web Interface
2
Deploying the Web Interface
You can deploy the Active Roles Web Interface on any computer that meets the product
system requirements and is running Internet Information Services (IIS) 7.5 or later. For
more information on the software and hardware requirements, see System Requirements
in the Active Roles Release Notes.
NOTE: You do not need to deploy the Web Interface component on the same computer
that runs the Active Roles Administration Service. However, the computer (or computers)
hosting the Web Interface must have a reliable network connection to the computer (or
computers) running the Administration Service component.
Prerequisites
Before you begin deploying any Web Interface sites, make sure you meet the following
requirements on the computer(s) where you will deploy the Web Interface component:
Table 1: Web Interface requirements
Requirement Description
type
Operating You can deploy the Active Roles Web Interface component on the
system following operating systems:
l Windows Server 2022
l Windows Server 2019
l Windows Server 2016
Internet Make sure that the computer where the Web Interface is deployed has
Services the Web Server (IIS) server role installed, with the following role
services:
l Web Server/Common HTTP Features/
l Default Document
l HTTP Errors
l Static Content
Active Roles 8.1.3 Web Interface Configuration Guide
2
Deploying the Web Interface
Requirement Description
type
l HTTP Redirection
l Web Server/Security/
l Request Filtering
l Basic Authentication
l Windows Authentication
l Web Server/Application Development/
l .NET Extensibility
l ASP
l ASP.NET
l ISAPI Extensions
l ISAPI Filters
l Management Tools/IIS 6 Management Compatibility/
l IIS 6 Metabase Compatibility
NOTE: The Active Roles installer automatically configures the Web
Server (IIS) server role when installing the Web Interface
component.
To verify that the server role is configured properly on the computer,
use the native Server Manager tool of the operating system after the
Web Interface is installed.
Feature Make sure that Internet Information Services (IIS) provides
delegation Read/Write delegation for the following features:
l Handler Mappings
l Modules
To confirm that these features have the Read/Write delegation
configured, use the Feature Delegation option of the native Internet
Information Services (IIS) Manager tool of the operating system.
.NET Trust Make sure that the .NET Trust Level is set to Full (internal) on every
Levels computer where the Web Interface component will be installed.
To configure this setting:
1. In the system-provided Internet Information Services (IIS)
Manager tool, under Connections, expand the node of the
computer, and navigate to Sites > Default Web Site.
2. On the Default Web Site Home page, double-click .NET Trust
Levels.
3. Under Trust level, select Full (internal).
Active Roles 8.1.3 Web Interface Configuration Guide
3
Deploying the Web Interface
Requirement Description
type
NOTE: Setting the .NET Trust Level to any other value will result in a
failure when attempting to load any of the configured Active Roles
Web Interface sites.
About the Web Interface
The Active Roles Web Interface is a highly customizable, easy-to-use web application for
data administration and provisioning in Active Directory. With the Web Interface, an
intranet user (such as a helpdesk agent or a delegated administrator) can connect to Active
Roles using a web browser and perform day-to-day administrative tasks, including user
management tasks (such as modifying personal data) or adding users to groups.
Web Interface users can perform administrative tasks and view or modify directory data.
However, their scope of authority is limited by the rights delegated in Active Roles. As such,
a Web Interface user sees only the commands, directory objects, and object properties to
which they have administrative access.
Administrators can customize the pages of the Web Interface without modifying a single
line of code. As part of the site customization, administrators with the proper privileges can
add or remove commands or fields displaying property values.
The key features of the Active Roles Web Interface component include the following:
l Role-based web pages: Active Roles Web Interface supports multiple websites on
the same intranet, each of them providing a separate, customizable set of menus,
commands, and forms. By default, the Web Interface ships with three default pages:
the Administrator Site, the Helpdesk Site, and the Self-Service Site.
l Dynamic role-based configuration: You can dynamically adapt the contents of
any Web Interface site to align them to the roles of their Web Interface users. As
such, you can make sure that a user can only see the commands, directory objects
and object properties to which they have administrative access.
l Point-and-click customization: Administrators can customize the menus,
commands, and pages of a site without writing a single line of code. As such,
administrators can easily adapt the sites to any role, such as day-to-day
administrators, business data owners, helpdesk operators, or even regular end-
users.
l Active Directory and Azure AD support: Users can administer a wide range of
Active Directory and hybrid or cloud-only Azure AD resources, including users,
groups, or computers.
l Managing computer resources: Users can manage the computer resources of
your organization, such as printers, shares, services, devices, local users and groups.
l User Profile Editor: With the proper permissions configured, end-users can
manage their personal or emergency data through an easy-to-use profile editor.
Active Roles 8.1.3 Web Interface Configuration Guide
4
Deploying the Web Interface
l Enforcing organizational rules: The Web Interface efficiently supplements and
restricts user input based on the organizational rules defined with Active Roles. As
such, the Web Interface sites display only property values generated according to the
rules in effect, and prohibits users to enter values that violate the rules.
l Single sign-on with integrated Windows authentication: Active Roles Web
Interface supports single sign-on, without requiring users to enter their passwords
again once they are logged in and authenticated by the operating system.
l Localization support: Besides English, the Active Roles Web Interface supports the
following languages:
l Chinese (Simplified and Traditional)
l French
l German
l Portuguese (Brazilian and European)
l Spanish
Default Web Interface sites
You can configure multiple instances of the Web Interface, referred to as Web Interface
sites. By default, Active Roles ships with the following configuration templates.
l Default Site for Administrators: The Administrator Site, supporting a broad range
of tasks, including the management of directory objects and computer resources.
l Default Site for Help Desk: The Helpdesk Site, supporting tasks that are typically
performed by helpdesk operators, such as enabling or disabling accounts, resetting
passwords, and modifying certain user or group properties.
l Default Site for Self-Administration: The Self-Service Site, providing the User
Profile Editor, allowing end users to manage personal or emergency data through an
easy-to-use editor.
Each configuration template provides a specific set of commands installed by default.
However, you can customize each Web Interface site adding or removing commands, and
by modifying the web pages (forms) associated with each command. For more information
on customizing the Web Interface sites, see Customizing the Web Interface.
Although the Web Interface dynamically adapts to roles assigned to users, you can ensure
additional flexibility by configuring separate Web Interface sites to the various individual
roles (such as directory administrators or helpdesk personnel). The static configuration of
interface elements ensures that Web Interface users have access to all the specific
commands and pages needed to perform their duties.
Active Roles 8.1.3 Web Interface Configuration Guide
5
Deploying the Web Interface
Creating, modifying or deleting a Web
Interface site
Deploying the Web Interface component has two main procedures:
1. Installing the component via the Active Roles installer.
2. Using the Active Roles Configuration Center to configure the Web Interface service.
For more information on these procedures, see Deploying the Web Interface in the Active
Roles Quick Start Guide.
Once the Web Interface component is deployed, you can create new Web Interface sites, or
modify and delete the existing ones. You can create any number of Active Roles Web
Interface sites, either with each site having its own configuration, or sharing the
configuration with other sites.
These site configuration entities contain all customizable settings of the user interface
elements, such as the website menus, commands, and web page forms that appear on the
Web Interface. Each configuration is identified by name, stored as an entity, and applied on
a per-site basis. In addition, each Web Interface site configuration is stored and replicated
by the Administration Service, with the same configuration files reusable for additional Web
Interface sites. This allows you to:
l Reuse the configuration of existing Web Interface sites.
l Share a common configuration among multiple Web Interface sites.
NOTE: If multiple Web Interface sites share a common configuration, any customization
made to one site will be automatically applied to the other sites using the same config-
uration. For example, if you add a command or modify a form on one site, the new
command or modified form appears on all the other sites using the same configuration.
To create, modify or delete a Web Interface site
1. In the Active Roles Configuration Center, on the Dashboard page, click Web
Interface > Manage Sites.
Alternatively, on the side bar, click Web Interface.
2. On the Web Interface page, click the applicable button:
l To create a new site, click Create.
l To modify an existing site, select it from the list, then click Modify.
l To delete an existing site, select it from the list, then click Delete.
3. (Optional) If you selected to Create or Modify a site, in the Web Application step,
configure the following settings:
l IIS Web site: Specifies the IIS website containing the web application that
implements the Web Interface site. The list is populated from the websites
defined on the web server.
Active Roles 8.1.3 Web Interface Configuration Guide
6
Deploying the Web Interface
l Alias: Specifies the alias of the web application that implements the Web
Interface site. The alias defines the virtual path used in the address of the Web
Interface site on the web server.
4. (Optional) If you selected to Create or Modify a site, in the Configuration step,
specify how to set the configuration of the new website. The website configuration
contains all customizable settings of the user interface elements, such as the website
menus, commands, and web page forms that appear on the Web Interface.
l Keep the current configuration: Uses the configuration currently assigned
to the site. Select this option if you do not want to assign a different
configuration to the site.
NOTE: This setting is only available when modifying an existing site.
l Create from a template: Creates a new configuration for the Web Interface
site based on a template. When selected, you must specify a unique
Configuration name and must also select a Template used as a baseline for
the new configuration. Active Roles contains a default template for
Administration, Helpdesk and Self-Service sites.
TIP: Select this option if you want the Web Interface site to use a
separate configuration that is initially populated with the default template
data and settings.
l Use an existing configuration: Assigns an existing configuration to the Web
Interface site. When selected, you must specify the desired configuration from
a list of saved configurations stored by the Administration Service.
NOTE: The list includes configurations compatible with the currently installed
Active Roles version only.
l Import from an existing configuration: Creates a new configuration for
the Web Interface site by importing data from an existing configuration. When
selected, you must specify a unique Configuration name for the new
configuration and must also select the desired Configuration to import from
the list of supported configurations stored by the Administration Service.
NOTE: The list includes configurations compatible with the currently installed
Active Roles version only.
TIP: Select this option if you want the Web Interface site to use a separate
configuration that is:
l Populated with data imported from the configuration of an earlier
Active Roles version, or
l Copied from an existing configuration of the current Active Roles
version.
l Import from a file: Creates a new configuration for the Web Interface site by
importing data from an exported configuration file. When selected, you must
specify a unique Configuration name for the new configuration and must also
select the File to import.
Active Roles 8.1.3 Web Interface Configuration Guide
7
Deploying the Web Interface
TIP: Select this option if you want the Web Interface site to use a separate
configuration that is:
l Populated with data imported from the exported configuration file of an
earlier Active Roles version.
l Copied from an existing exported configuration file of the current
Active Roles version. You can export existing configurations with the
Web Interface > Export Configuration option of the Configuration
Center after selecting a web site.
5. (Optional) To commit your changes when creating or modifying a site, click Create or
Modify, respectively. The Configuration Center then performs the configured
changes, and will indicate the results.
6. (Optional) If you selected to Delete a site, in the Ready to Delete step, review the
site data, then click Delete. The Configuration Center then performs the configured
changes, and will indicate the results.
Once you configured a new site or modified an existing one, you can access it from your
browser by using the specified web application alias in the following format:
http://<website>/<alias>
In this alias, <website> identifies the IIS website containing the web application that
implements the Web Interface site, while <alias> is the alias of the web application as
specified in the Configuration Center. For example, if the web application is contained in the
default website, the address will be the following:
http://<computer>/<alias>
In this example, <computer> is the network name of the computer (web server) running the
Web Interface.
By default, you can connect to Web Interface sites via the HTTPS protocol, which encrypts
the data transferred from the web browser to the Web Interface. If your organization does
not require a secure protocol for accessing the Web Interface sites, you can disable using
the HTTPS protocol in the Active Roles Configuration Center.
The HTTPS protocol uses SSL protection provided by the web server for data encryption.
For more information on how to enable SSL on your web server, see Configuring Secure
Sockets Layer in IIS 7 in the Microsoft Windows Server documentation.
Creating or modifying a Web Interface site
from an existing configuration
Once you deployed the Web Interface, you can create or modify Web Interface sites with
the Configuration Center. When configuring a site, the Configuration Center lets you
create, select or import a so-called configuration: a collection of settings that fully
determines the menus, commands, forms and other elements of the pages provided by the
Web Interface site.
For each Web Interface site, Active Roles stores the site configuration in a particular object
held in the Active Roles database, and allows the configuration to be identified by that
Active Roles 8.1.3 Web Interface Configuration Guide
8
Deploying the Web Interface
object. Configuration Center retrieves and enumerates configuration objects when it builds
a list of existing configurations.
When upgrading Active Roles to a newer version, the Web Interface configuration objects
are copied to the new Active Roles database. As a result, the database holds Web Interface
configuration objects of an earlier version. If you want your new Web Interface sites to
have the same configuration as the Web Interface sites of the earlier version, you can
import the configuration objects of the previous version.
To reuse the configuration of an earlier Web Interface version
1. On the Configuration page of the wizard for creating or modifying a Web
Interface site in Configuration Center, select the Import from an existing
configuration option.
2. In Configuration name, type a name for the new configuration that will be created
by importing an existing configuration, or accept the default name.
3. From the Configuration to import list, select the name of the configuration you
want to import.
To distinguish between different configuration versions, the version number is added
to the name of each configuration in the list.
TIP: As you can export Web Interface configurations to an external file, you can also
reuse an existing configuration to restore the configuration of a Web Interface site
from a backup.
To export the configuration of a Web Interface site to a file
1. Open the Configuration Center.
2. On the page for managing Web Interface sites in Configuration Center, select the
desired Web Interface site, click Export Configuration, then supply the path and
name of the file to which you want to export the configuration.
To import the configuration from an export file
1. On the Configuration page of the wizard for creating or modifying a Web Interface
site in Configuration Center, select the Import from a file option.
2. In Configuration name, type a name for the new configuration that will be created
by importing data from the export file, or accept the default name.
3. From the File to import field, select the export file.
NOTE: Old Active Roles versions exported site configuration data to an export package (a
collection of export files) instead of a single export file. To import configuration from such
an export package, in the Configuration Center, click the Browse button next to the File
to import filed, navigate to the folder containing the export package files, and select
the .txt file that identifies the export package.
Active Roles 8.1.3 Web Interface Configuration Guide
9
Deploying the Web Interface
3
Getting started with the Web
Interface
Active Roles offers a convenient, easy-to-use, customizable Web Interface that enables
authorized users to perform day-to-day administrative tasks, including user management
tasks such as modifying personal data or adding users to groups. Via the Web Interface, an
intranet user can connect to Active Roles using a web browser. A user sees only the
commands, directory objects, and object properties to which the user’s role provides
administrative access.
By default, the Web Interface includes three different sites:
l The Administrator Site, providing a wide variety of administrative tasks.
l The Helpdesk Site, providing a smaller set of tasks primarily meant to facilitate
resolving trouble tickets.
l The Self-Service Site, intended for managing personal accounts.
The Web Interface also supports localization, with the following translations available
besides English:
l Chinese (Simplified and Traditional)
l French
l German
l Portuguese (Brazilian and European)
l Spanish
The Web Interface delivers a reliable, comprehensive solution for users who have
administrative access to Active Roles to modify commands that the Web Interface provides
for without writing a single line of code, and enables such users to add and remove
commands on menus, and modify command pages by adding and removing fields that
display property values. For more information on how to customize the Web Interface, see
Customizing the Web Interface.
The Active Roles Web Interface User Guide is for individuals who are responsible for
performing day-to-day administrative tasks. This document provides a brief overview of
the Web Interface, and includes step-by-step instructions on how to perform
administrative tasks.
Active Roles 8.1.3 Web Interface Configuration Guide
10
Getting started with the Web Interface
The following topics describe the procedures for connecting to the Web Interface. First,
configure your web browser to display the Web Interface pages properly. Then, connect to
the Web Interface. Finally, you may specify personal settings for the Web Interface.
l Configuring the web browser to access the Web Interface
l Connecting to the Web Interface
l Changing personal settings in the Web Interface
l Logging out of the Web Interface
Active Roles 8.1.3 Web Interface Configuration Guide
11
Getting started with the Web Interface
4
Configuring the web browser to access
the Web Interface
To access the Active Roles Web Interface, your web browser must have JavaScript and
cookies enabled. JavaScript is a programming language for making web pages
interactive. Cookies are small files stored on your computer that contain information
about the Web Interface.
For more information on how to enable JavaScript and cookies for your browser, see the
applicable section.
l Configuring Google Chrome
l Configuring Mozilla Firefox
Configuring Google Chrome
To access the Active Roles Web Interface, Google Chrome must have JavaScript and
cookies enabled.
To enable JavaScript and cookies in Google Chrome
1. Click the Chrome menu button on the browser toolbar, then click Settings.
2. On the Settings page, click Show advanced settings, then click the Content
settings button in the Privacy section.
3. In the Content settings dialog, do the following:
a. Make sure that the Allow local data to be set option is selected
under Cookies.
b. Make sure that the Allow all sites to run JavaScript option is selected under
JavaScript.
c. When finished, click Done.
Configuring Mozilla Firefox
To access the Active Roles Web Interface, Firefox must have cookies enabled.
Active Roles 8.1.3 Web Interface Configuration Guide
12
NOTE: JavaScript, which is also required by Active Roles Web Interface, is enabled by
default in Mozilla Firefox. Also, starting from Mozilla Firefox 23, you cannot disable or re-
enable it in the browser settings.
To enable cookies in Mozilla Firefox
1. Click Options on the Tools menu.
2. In the Options dialog box, do the following:
a. Click the Privacy button at the top of the dialog box.
b. Make sure that the Remember history option is selected in the History area.
c. When finished, click OK.
Connecting to the Web Interface
To connect to the Web Interface, you must know the name of:
l The web server running the Web Interface.
l The Web Interface site you want to access.
The default site names are as follows:
l ARWebAdmin: The Administrator Site, supporting a broad range of
administrative tasks.
l ARWebHelpDesk: The Helpdesk Site, supporting the most common
administrative tasks.
l ARWebSelfService: The Self-Service Site, allowing end-users to manage their
personal accounts.
To connect to the Web Interface
l Launch your web browser.
l In the address bar, enter the address of the Web Interface site you want to open,
then press Enter.
For example, to connect to the default Administrator Site, enter the following URL:
http://<server>/ARWebAdmin
In this example, <server> is the name of the web server running the Web
Interface component.
Active Roles 8.1.3 Web Interface Configuration Guide
13
Changing personal settings in the Web
Interface
When using the Web Interface, you can configure various personal settings, like the user
interface language, or the amount of directory objects to list per page.
To change personal settings in the Web Interface
1. In your browser, open the Active Roles Web Interface.
2. In the header, click Active Roles 8.1.3 > Settings.
3. Configure the following settings as you need:
l User interface language: Specifies the language of the Web Interface. This
setting affects all menus, commands, and forms of the Web Interface, as well
as tooltips and help text.
NOTE: By default, the Web Interface contains only English localization.
Installing the Active Roles Language Pack adds support for the
following languages:
l Chinese (Simplified and Traditional)
l French
l German
l Portuguese (Brazilian and European)
l Spanish
For more information, see Active Roles Language Pack in the Active Roles
Administration Guide.
l Maximum number of objects to display in search results: Specifies the
maximum number of objects to display in single-page lists, such as lists of
search results or lists that show contents of containers. The supported value
range is 1–20000, and the default value is 1000.
TIP: Use this setting carefully, as displaying a large number of objects may
negatively impact browser performance. Instead of displaying all objects,
One Identity recommends using the available search and filtering options to
find the objects you need.
l Number of items to display per page in paged lists: Specifies the
maximum number of list items displayed on a single page in multi-page lists.
This setting affects only lists (such as approval task lists) that are divided into
pages. The supported value range is 1–10000, and the default value is 20.
TIP: Use this setting carefully, as specifying a small value may result in many
pages to list through, while specifying a large value can negatively impact
browser performance.
Active Roles 8.1.3 Web Interface Configuration Guide
14
l Number of page links to display for paged lists: Specifies the maximum
number of page number links displayed for multi-page lists. This setting affects
only lists (such as approval task lists) that are divided into pages. The
supported value range is 1–1000, and the default value is 5.
l Time (in minutes) for which the notification is visible: Specifies the
number of minutes for which Web Interface notifications will be visible on the
user interface. The supported value range is 0–43200, and the default value is
0. Keeping the default value of 0 results in notifications never disappearing.
l Maximum number of notifications to be stored in Active Roles:
Specifies the maximum number of notifications to be stored in the Active Roles
database. The supported value range is 5–1000, and the default value is 1000.
l Show objects owned by inheritance or secondary ownership: When
selected, the My Managed Resources page of the Web Interface will also list
objects of which the user is not the primary owner (manager), but the
secondary or inherited owner.
4. To apply your changes, click Save.
TIP: Active Roles saves the personal settings on a per-user basis in the Web
Interface site configuration. Once saved, the personal settings take effect regard-
less of which computer you use to access Web Interface. As such, you can
configure different personal settings for different Web Interface sites.
Logging out of the Web Interface
Logging out of the Web Interface can prevent harmful security breaches. Because of this,
always log out of the Web Interface when your work is completed.
To log out of the Web Interface
1. Make sure that you finished all your work in the Web Interface.
2. In the right side of the Web Interface header, click your user name, then
click Logout.
Active Roles then closes the current Web Interface session and deletes all session-related
data from the local computer.
NOTE: For additional security, the Active Roles Web Interface can forcibly close your
session in case of user inactivity. Active Roles administrators can configure the duration
of the continuous idle time, after which the Web Interface shows a message prompting
users to resume action. If the user does not respond to this prompt, the session will be
forcibly closed after an additional grace period.
Active Roles 8.1.3 Web Interface Configuration Guide
15
5
Web Interface Basics
The following sections provide an overview of the main elements and the most typical
workflows of the Active Roles Web Interface.
l Web Interface administrative tasks overview
l User interface overview
l Managing the list of objects
l Locating directory objects
l Using personal views
Web Interface administrative tasks
overview
The Web Interface home page displays categories of administrative tasks supported by the
Web Interface. The same categories are displayed along the vertical strip on the left side of
the Web Interface window, referred to as Navigation bar. Click icons on the Navigation bar
to perform the following tasks:
l Directory Management Browse for, and manage, directory objects, such as users
and groups. You can navigate through containers in the directory; view, filter and
select objects held in the container; and apply commands to the selected object
or container.
l Search Search for, and manage, directory objects. You can select containers in the
directory, and specify search criteria. The Web Interface searches in the selected
containers and all of their subcontainers, and lists the objects that match your search
criteria, allowing you to apply commands to objects in the list.
l Approval Perform the tasks related to approval of administrative operations.
The scope of your responsibilities depends upon your role in the approval
workflow processes.
l Settings Set up your personal settings that control the display of the Web
Interface pages.
Active Roles 8.1.3 Web Interface Configuration Guide
16
Web Interface Basics
l Customization Add, remove, or modify user interface elements, such as menu items
(commands) and pages (forms), intended to manage directory objects. This task
requires the rights of Active Roles Admin.
NOTE:
l For more information on extending the Active Roles provisioning and account
administration capabilities to your cloud applications, click the supported
connectors in the What's New section from the Active Roles drop-down list.
l On the title bar of the Active Roles Web Interface, click Feedback to provide a
product feedback. You are redirected to a new browser that allows you to provide
the feedback.
l For the Administrator Site, by default, the feedback option is available.
l For the Helpdesk Site, navigate to Customization > Global Settings
and check the Enable user feedback link check-box to enable the
feedback option.
l The feedback option is not available on the Self-Service Site.
Directory Management
Directory Management allows you to browse for, and administer, directory objects in
your organization. Your Active Roles permissions determine which tasks you can perform.
Directory Management provides the following views:
l Active Directory: Lists Active Directory domains managed by Active Roles,
allowing you to navigate through containers in those domains. You can view, filter
and select objects held in the container, and apply commands to the selected object
or container.
l Managed Units: Lists Managed Units defined in Active Roles, allowing you to view
objects, and navigate through containers, held in Managed Units. You can filter and
select objects, and apply commands to the selected object or container.
For information on how to administer Active Directory objects, see Managing Active
Directory objects.
Search
Search provides a flexible, query-based mechanism that helps locate directory objects
quickly and without browsing through the directory tree. You can select containers in the
directory, and build a query by specifying search criteria. The Web Interface searches in the
selected containers and all of their subcontainers, and lists the objects that match your
search criteria. When the objects you target are returned as the results of a search query,
you can then perform the necessary administrative tasks.
You can also save the queries that you build and use them again at a later time. The Web
Interface saves queries as your personal views, with each view consisting of the containers
Active Roles 8.1.3 Web Interface Configuration Guide
17
Web Interface Basics
and search criteria that you select, as well as the customized sorting and column
information that you specify.
For instructions on how to perform a search, see Searching for directory objects.
Approval
Approval provides you with the tools for performing tasks related to approval workflow.
You can use these tools to complete approval tasks assigned to you as an Approver, and to
monitor the status of the operations that you initiated, if those require approval.
For details on how to perform approval tasks, see Using Approval Workflow.
Settings
By using Settings, you can specify:
l The language of the Web Interface pages.
l The maximum number of objects displayed in single-page lists.
l The maximum number of list items displayed on a single page in multi-page lists.
l The maximum number of links to pages displayed for multi-page lists.
l Maximum time in minutes, for which the notification is to be visible.
l Maximum number of notifications to be stored in Active Roles.
Settings are saved on a per-user basis in the configuration of the Web Interface site. For
more information, see Changing personal settings in the Web Interface.
Customization
Customization allows you to tailor the Web Interface to suit the specific needs of your
organization. The Customization item is only displayed if you are logged in as Active Roles
Admin. The Active Roles Admin account is specified during the configuration of the Active
Roles Administration Service.
Customization includes the following tasks:
l Directory Objects: Modify menus, commands, and forms for administering
directory objects. View or change global settings, such as the logo image and
color scheme.
l Restore Default: Restore the original (default) menus, commands, and forms,
discarding all previous customizations.
l Reload: Put into effect the menus, commands, and forms that you have customized.
The customization settings determine the configuration of the Web Interface site for
all users.
Active Roles 8.1.3 Web Interface Configuration Guide
18
Web Interface Basics
For more information and instructions on how to customize the Web Interface, see
Customizing the Web Interface.
User interface overview
The section describes the user interface elements that are common across the Web
Interface.
Navigation bar
Located on the left side of the page, the Navigation bar provides the first level of navigation
for most of the tasks you can perform in the Web Interface. The Navigation bar is organized
by Web Interface areas, and includes the following items:
l Home: Go to the Web Interface home page.
l Directory Management: Browse for, and administer, directory objects in your
organization.
l Search: Search for, and administer, directory objects in your organization.
l Customization: Customize Web Interface pages. Available to Active Roles
Admin only.
Active Roles 8.1.3 Web Interface Configuration Guide
19
Web Interface Basics
l Approval: Perform the tasks relating to approval of administrative operations.
l Settings: View or change your personal settings that control the display of the
Web Interface.
l Help: Access the About page, the Active Roles Knowledge Base, and other helpful
resources for the Web Interface.
For more information about functions of the Navigation Bar, see Web Interface
administrative tasks overview.
Browse pane
Located next to the Navigation bar, the Browse pane lists the built-in views and personal
views, and allows you to access the tree view:
l Built-in views provide entry points to browsing for objects in the directory. Personal
views are filter or search queries you build and save to use them again at a later
time. To see built-in views and personal views, click the Views tab at the top of the
Browse Pane.
l The tree view helps you browse for directory objects by using the directory tree to
navigate through the hierarchical structure of containers. To see the tree view, click
the Tree tab at the top of the Browse Pane.
List of objects
When you select a container or view in the Browse pane, you see a list of objects. If you
select a container, the list includes the objects held in that container. If you select a view,
the list includes the objects that match the view settings. It is also possible to customize
the list by sorting and filtering, and by adding or removing list columns.
You can select objects from the list and apply commands to the selected object or objects.
When you click the name of a container object, such as a domain or an organizational unit,
the list changes to display the objects held in that container, thereby enabling you to
browse through containers in the directory.
Toolbar
The Toolbar contains a number of controls allowing you to manage the current list
of objects:
l Click the Menu button on the left side of the Toolbar to save the current list as a
personal view, add or remove list columns, or export the list to a text file.
Active Roles 8.1.3 Web Interface Configuration Guide
20
Web Interface Basics
l Type in the Filter field, then click the button next to that field to have the list include
only those objects whose naming properties match what you typed.
l Click the Expand/Collapse button on the right side of the Toolbar to configure
filtering criteria based on object properties. To have the list include only the objects
that match your filtering criteria, click the button next to the Filter field.
Current container
The area above the Toolbar displays the name of the current container, holding the
objects shown in the list, and identifying the hierarchical path to the current container in
the directory. Click the name of a container in the path to view a list of objects held in
that container.
Command pane
Located to the right of the list of objects, the Command pane provides commands you
can apply to objects you select from the list as well as commands you can apply to the
current container:
l If no objects are selected in the list, the menu includes only the commands that apply
to the current container. These commands are grouped under a heading that shows
the name of the current container.
l If a single object is selected in the list, the commands that apply to the selected
object are added in the top of the menu, under a heading that shows the name of the
selected object.
l If multiple objects are selected from the list, the commands that apply to all of the
selected objects are added in the top of the menu, under a heading that shows the
number of the selected objects.
Summary pane
When you select an object from the list, information about that object is displayed in the
Summary pane under the list of objects. The information includes some commonly used
properties of the object, and depends upon the object type. For example, user properties
provide more detailed information about a user account, such as the login name, e-mail
address, description, job title, department, expiration date, and the date and time that the
account was last changed. If you do not see the Summary pane, click in the area beneath
the list of objects.
Active Roles 8.1.3 Web Interface Configuration Guide
21
Web Interface Basics
Object property pages
Property pages are used in the Web Interface to modify directory objects. The following
figure gives an example of the property page that appears when you select a user account
from the list of objects and click General Properties in the Command pane.
The property page consists of several tabs. Each tab provides a number of data entries
allowing you to view or change certain properties of the directory object. Click a tab to
access the data entries on that tab. To apply the changes you have made in the data
entries, click the Save button.
Active Roles Admin users can use the Customize link in the upper right corner of the page
to add or remove data entries or entire tabs from the property page. The Customize link is
not displayed unless you are logged on as a member of the Active Roles Admin account,
which specified in the configuration settings of the Active Roles Administration Service.
Notification and Feedback
On the upper right corner, you can view the Feedback option, the Active Roles drop-
down menu, and a Notification icon.
l Feedback option: Allows you to provide product feedback.
l Active Roles drop-down menu: Allows you to know more about the new features in
the current version, access online-help, and configure settings.
l Notification icon: Allows you to view the notifications.
Managing the list of objects
The list of objects in the Web Interface has a number of features that help you locate the
objects you target. Thus, you can sort objects in a list and apply a filter to a list. You can
also add or remove list columns.
Sorting and filtering the list of objects
The Web Interface allows you to set a sort order and apply a filter in the list of objects.
To sort the list of objects by name
1. Open the list of objects.
2. Click the Name column heading once or twice to sort the list by object name in
Active Roles 8.1.3 Web Interface Configuration Guide
22
Web Interface Basics
ascending or descending order. An arrow in the column heading indicates the sort
order.
You can also sort the list by other columns. Click a column heading to change the sort
order. For instructions on how to add or remove columns, see Adding or removing columns
from the list of objects.
To filter the list of objects
You can filter lists either by naming properties or other properties:
l To filter the list by naming properties, type in the Filter field on the Toolbar, then
press Enter or click the button next to the Filter field. As a result, the list includes
only the objects whose naming properties match what you typed. The naming
properties include name, first name, last name, display name, and login name.
l To filter the list by other properties, click the button on the right side of the Toolbar
to expand the Toolbar, click Add criteria, choose the properties by which you want
to filter, click Add, then configure the criteria as appropriate. When finished, press
Enter or click the button next to the Filter field on the Toolbar. As a result, the list
includes only the objects that match the criteria you configured.
After you applied a filter, the list includes only the objects that match the filter. For
example, you can type a few characters in the Filter field on the Toolbar, then press
Enter to view only the objects whose name starts with the characters you typed.
To remove the filter and restore the original list of objects
Depending on whether you specified any criteria, perform the applicable step:
l If you did not add any criteria, clear the Filter field on the Toolbar, then press Enter.
l If you specified any criteria, expand the Toolbar, click Clear all, then press Enter.
Adding or removing columns from the list
of objects
You can customize the list of objects by adding or removing list columns. Each column
is intended to display a certain property of objects in the list, and can be used to set
a sort order.
To add or remove list columns
1. Click the Menu button on the left side of the Toolbar, then click Choose columns.
2. To add a column for a certain property, click the name of the property in the Hidden
columns list, then click the right arrow button to move the property to the
Displayed columns list.
3. To remove a column for a certain property, click the name of the property in the
Displayed columns list, then click the left arrow button to move the property to the
Hidden columns list.
Active Roles 8.1.3 Web Interface Configuration Guide
23
Web Interface Basics
You can reorder list columns by moving list items up and down in the Displayed columns
list. To do so, click the name of the property in the list, then click the up arrow button or the
down arrow button next to the list.
Locating directory objects
The Web Interface provides search and filtering tools to help you locate directory objects
quickly and easily. By creating and applying an appropriate search or filter query, you can
build shorter lists of objects, which makes it easier to select the objects needed to
accomplish your administrative tasks.
You can also save search and filter queries as your personal views, and use them again at a
later time. Each view saves the following settings that you specify: the container to search
or filter; the search or filtering criteria; the set of columns and the sort order in the list of
search or filtering results.
Searching for directory objects
To search for directory objects, you can use the Search page that allows you to select the
container to search and specify criteria for the objects you want to find. The Web Interface
searches in the container you select and in all of its subcontainers.
The Web Interface opens the Search page when you do any of the following:
l Type in the Search field located in the upper right corner of the Web Interface
window, and then press Enter or click the magnifying glass icon in the Search field. In
this case, the Web Interface searches all managed Active Directory domains for
objects whose naming properties match what you typed and the Search page lists
the search results. The naming properties include name, first name, last name,
display name, and logon name.
l Click Search on the Navigation bar. The Search page opens, allowing you to
configure and start a search.
To configure and start a search
1. Click the Search in box on the Toolbar, and then select the container that you want
to search. You can select more than one container.
The Web Interface will search in the selected container and all of its subcontainers.
2. Specify criteria for the objects that you want to find:
l To search by naming properties, type in the Search field on the Toolbar. The
Web Interface will search for objects whose naming properties match what you
typed. The naming properties include name, first name, last name, display
name, and logon name.
Active Roles 8.1.3 Web Interface Configuration Guide
24
Web Interface Basics
l To search by other properties, click the button on the right side of the Toolbar
to expand the Toolbar, click Add criteria, choose the properties by which you
want to search, click Add, and then configure the criteria as appropriate. The
Web Interface will search for objects that match the criteria that you
configured.
3. Press Enter to start the search.
The search results are listed on the Search page. You can customize the list by adding or
removing list columns and sorting the list by column data. To add or remove list columns,
click the Menu button on the left side of the Toolbar and then click Choose columns (see
also Adding or removing columns from the list of objects). To sort the list by column data,
click column headings.
Example: Searching by object type
The following steps demonstrate how you can use the search function to list all groups that
exist in the Active Directory domains managed by Active Roles:
1. Click Search on the Navigation bar.
2. Click the button on the right side of the Toolbar to expand the Toolbar, click Add
criteria, select the check box next to Object type is
User/InetOrgPerson/Computer/Group/Organizational Unit, then click the
Add button.
3. On the Toolbar, click Group in the list next to The object type is, then press Enter.
Filtering the contents of a container
If a container, such as an Organizational Unit in your Active Directory, holds large number
of objects, you can narrow down the displayed list of objects by filtering the objects held in
that specific container.
To filter the objects held in a container
1. Navigate to the container in the Web Interface.
To navigate to a container, you can search for the container object (see Searching for
directory objects), then click its name in the list of search results on the Search
page. Alternatively, you can browse for the container objects by using the Browse
pane and the List of objects.
IMPORTANT: The scope of filtering is always set to the current container, and does
not include any subcontainers of that container. Filtering is essentially a search for
objects held in a given container only. If you want to search the current container
and all of its subcontainers, click Search under this container in the Command
pane, then configure and perform a search as described in Searching for directory
Active Roles 8.1.3 Web Interface Configuration Guide
25
Web Interface Basics
objects.
2. Specify how you want to filter the objects held in the container:
l To filter objects by naming properties, type in the Filter field on the Toolbar and
then press Enter or click the button next to the Filter field. The list of objects
will include only the objects whose naming properties match what you typed.
The naming properties include name, first name, last name, display name, and
logon name.
l To filter objects by other properties, click the button on the right side of the
Toolbar to expand the Toolbar, click Add criteria, choose the properties by
which you want to filter, click Add, and then configure the criteria as
appropriate. The list of objects will include only the objects that match the
criteria you configured.
3. To apply the filter, press Enter or click the button next to the Filter field on
the Toolbar.
When a filter is applied to a container, the Web Interface lists a subset of all objects held in
that container. You can remove the filter to view all objects: If you did not add criteria,
clear the Filter field on the Toolbar and then press Enter; otherwise, expand the Toolbar,
click Clear all, and then press Enter.
Example: Filtering by object type
The following steps demonstrate how you can configure a filter that lists only user accounts
held in a particular Organizational Unit, removing objects of any other type from the list:
1. Navigate to the Organizational Unit in the Web Interface.
2. Click the button on the right side of the Toolbar to expand the Toolbar, click Add
criteria, select the check box next to Object type is
User/InetOrgPerson/Computer/Group/Organizational Unit, then click the
Add button.
3. On the Toolbar, confirm that the field next to The object type is reads User, then
click the button next to the Filter field, or press Enter.
Using personal views
In the Web Interface, you can use search or filter queries to locate directory objects. To
create a query, you specify a set of rules that determine the contents of the resulting list of
objects. You can, for instance, specify that only user accounts held in a particular
organizational unit should be listed. In addition, you can adjust the set of columns and the
sort order in the list of search or filtering results.
The ability to locate the objects you target is crucial as you need to focus your attention on
only those objects that apply to the task you are performing. However, creating a search or
filter query that displays the objects you are interested in for a particular task can be time-
Active Roles 8.1.3 Web Interface Configuration Guide
26
Web Interface Basics
consuming. Personal views provide a way for you to save that work. Once you have created
a query that displays just the objects you need, you can provide the query with a name and
save it to use later. That saved query is a personal view. Each view saves the following
settings that you specify: the container to search or filter; the search or filtering criteria;
the set of columns and the sort order in the list of search or filtering results.
Creating a personal view
Personal views are like search or filter queries that you have named and saved. After
creating a personal view, you will be able to reuse it without re-creating its underlying
search or filter query. To reuse a personal view, click the name of that view on the Views
tab in the Browse pane. The Web Interface applies the search or filter query saved in the
view, and displays the results in the list with the same set of columns and sort order as
when you created the view.
To create a personal view
1. Do one of the following:
l Configure and perform a search. For instructions, see Searching for
directory objects.
l Create a filtered list of objects. For instructions, see Filtering the contents of
a container.
2. Click the Menu button on the left side of the Toolbar, then click Save current view.
3. In the dialog box that appears, type a name for the personal view, then click Save.
Changing a personal view
The personal views that you created are listed on the Views tab in the Browse pane. When
you select a view in the Browse pane, Web Interface applies the search or filter query saved
in the view, and displays the results in the list with the same set of columns and sort order
as when you created the view. At this point, you can make changes to the search or filter
criteria, set of columns and sort order, and then save the changed settings to the selected
personal view or create a new personal view based on the changed settings.
To save the changed settings to the selected personal view
1. Select a personal view in the Browse pane.
2. Make changes to the search or filter criteria, list columns or sort order.
3. Click the Menu button on the left side of the Toolbar, and then click Save
current view.
4. In the dialog box that appears, don’t change the name of the view. Click Save.
Active Roles 8.1.3 Web Interface Configuration Guide
27
Web Interface Basics
To create a new personal view based on the changed settings
1. Select a personal view in the Browse pane.
2. Make changes to the search or filter criteria, list columns or sort order.
3. Click the Menu button on the left side of the Toolbar, and then click Save
current view.
4. In the dialog box that appears, type a name for the new personal view and
then click Save.
You can also rename or delete personal views.
To rename a personal view
1. Open the Browse pane of the Web Interface
2. On the Views tab in the Browse pane, click the Edit button next to the name of the
view, type a new name, then press Enter or click the Edit button again.
To delete a personal view
1. Open the Browse pane of the Web Interface
2. On the Views tab in the Browse pane, click the Delete button next to the name
of the view.
Active Roles 8.1.3 Web Interface Configuration Guide
28
Web Interface Basics
6
Performing Management Tasks
You can use the Active Roles Web Interface to perform a wide variety of directory object
management tasks. These include the following:
l Managing your personal account
l Managing Active Directory objects
l Running an automation workflow
l Managing temporal group memberships
l Managing AD LDS data
l Managing computer resources
l Restoring deleted objects
Managing your personal account
The User Profile Editor section in the Web Interface site for self-administration gives you
a convenient way to display and update your own identity information, such as your
telephone numbers or mail address in your user account. The contents of the pages in the
User Profile Editor section can be customized by the Active Roles administrator, who can
add new elements to the pages, modify or remove existing elements, and regroup related
elements on different tabbed pages.
To view or modify your user account
1. In your web browser, go to the address (URL) of the Web Interface site for self-
administration.
By default, the address is http://<server>/ARWebSelfService where <server> stands
for the name of the server running the Web Interface.
2. On the Web Interface Home page, click User Profile Editor.
3. Use the page provided by the Web Interface to view or modify your user account.
4. Click the Save button to apply your changes.
Active Roles 8.1.3 Web Interface Configuration Guide
29
Performing Management Tasks
It is up to the Active Roles administrator to determine what information you are authorized
to view or modify on the User Profile Editor page. Some fields on the page might not be
editable. The fields that you are not permitted to modify appear on the page as read-only
text. The properties that you are not permitted to view are not displayed on the User
Profile Editor page.
Managing Active Directory objects
The Directory Management section of the Web Interface allows you to browse for, and
administer, directory objects in your organization. You can navigate through containers in
the directory; view, filter and select objects held in the container; and apply commands to
the selected object or container.
Whether you can perform a certain management task depends upon permissions granted
to your user account, and the Web Interface customization settings.
A general procedure for performing a Directory Management task is as follows.
To perform a management task
1. On the Navigation bar, click Directory Management.
2. On the Views tab in the Browse pane, click one of the following:
l To manage objects in Active Directory containers, such as domains or
organizational units, click Active Directory. This displays a list of Active
Directory domains.
l To manage directory objects in a certain Managed Unit, click Managed Units.
This displays a list of Managed Units.
3. In the list of objects, do one of the following:
l To navigate to a container, such as an organizational unit, click the name of
that container.
l To perform a command that applies to the current container, click that
command in the Command pane under the name of the current container.
l To perform a command on a particular object held in the current container,
select the check box next to the name of that object, and then click the
command in the top area of the Command pane, under the name of the object.
l To perform a command on two or more objects at a time, select the check box
next to the name of each object, and then click the command in the top area of
the Command pane.
NOTE: In the list of objects, clicking the name of a leaf object such as a user or
group, displays a page where you can view or modify object properties; clicking a
container object such as a domain or an organizational unit, displays a list of
objects held in that container.
When you perform a management tasks, the Web Interface supplements and restricts your
input based on policies and permissions defined in Active Roles. The Web Interface displays
Active Roles 8.1.3 Web Interface Configuration Guide
30
Performing Management Tasks
the data generated by policies, and prevents the input of data that would cause policy
violations. The following rules apply:
l If a policy requires that a value be specified for a particular property, the name of the
field for that property is marked with an asterisk (*).
l If a policy imposes any restrictions on a property, an information icon is displayed
next to the name of the field for that property. Click the icon to view policy
information, which you can use to enter an acceptable value.
l When you specify a property value that violates a policy, and click Save, the
Web Interface displays an error message. Review the error message and
correct your input.
l Pages for object creation must include the entries for all required properties.
Otherwise, the Web Interface fails to create the object. For information on how to
configure forms, see Configuring Web Interface forms.
l Object property pages display the values of the properties for which you have the
Read permission. You can modify only those properties for which you have the Write
permission. The properties for which you only have the Read permission are
displayed as read-only.
l The Command pane includes only the commands that you are permitted to use.
l The list of objects includes only the objects that you are permitted to view.
Batch operations
In the Web Interface, you can select multiple objects (such as users, groups and
computers), then apply a certain command to your selection of objects. This allows you to
perform a batch operation on all the selected objects at a time instead of running the
command on each object separately. The Web Interface supports the following batch
operations:
l Delete: Allows you to delete multiple objects at a time.
l Deprovision: Allows you to deprovision multiple users or groups at a time.
l Move: Allows you to move a batch of objects to a different organizational unit
or container.
l Add to groups: Allows you to add a batch of objects to one or more groups of
your choice.
l Update object attributes: Allows you to perform bulk attributes operations on
multiple users at a time.
l Reset Password: Allows you to reset the password for multiple users at a time.
Batch operations are available in the list of objects on the following Web Interface pages:
l Search: This page lists the search results when you perform a search.
l View Contents: This page displays the objects held in a given Organizational Unit,
Managed Unit, or container.
Active Roles 8.1.3 Web Interface Configuration Guide
31
Performing Management Tasks
To perform a batch operation, select the check box next to the name of each of the desired
objects in the list, then click a command in the top area of the Command pane. This runs
the command on each object within your selection.
NOTE: Active Roles administrators can customize Web Interface by adding and removing
commands, and modifying pages associated with commands. For more information, see
Customizing the Web Interface.
Example 1: Enabling a user account
This topic demonstrates how to enable a blocked user account by using the Web Interface.
To enable a blocked user account
1. Locate the user account you want to enable. For instructions on how to locate objects
in the Web Interface, see Locating directory objects.
2. In the list of objects, select the user account you want to enable.
3. In the Command pane, click Enable Account.
NOTE: If the user account is not blocked, the Command pane includes the Disable
Account command instead of the Enable Account command.
Example 2: Adding a user to a group
This demonstrates how to add a user account to a group by using the Web Interface.
To add a user account to a group
1. In the Web Interface locate and select the user account. For instructions on how to
locate objects in the Web Interface, see Locating directory objects.
2. In the Command pane, click Member Of.
3. On the Member Of page that appears, click Add.
4. On the Select Object page that appears, perform a search to locate the group.
For instructions on how to configure and start a search, see Searching for
directory objects.
5. In the list of search results on the Select Object page, select the group to which you
want to add the selected user account, then click Add.
Running an automation workflow
Workflow refers to a sequence of actions that leads to the completion of a certain task.
Active Roles allows administrators to configure various workflows that can be started on a
Active Roles 8.1.3 Web Interface Configuration Guide
32
Performing Management Tasks
scheduled basis or on user demand. This workflow type is called "automation workflow".
For more information, see Automation workflow in the Active Roles Administration Guide.
If an automation workflow is configured so that running it on demand is allowed, then you
can run it from the Web Interface.
To run an automation workflow from the Web Interface
1. On the Navigation bar, click Directory Management.
2. On the Tree tab in the Browse pane, expand the Workflow branch and click the
container that holds the desired workflow.
3. In the list of objects, select the desired workflow.
4. In the Command pane, click Run.
5. If prompted, review or change the values of the workflow parameters.
6. Click OK in the confirmation message box.
The Web Interface prompts you for parameter values if the workflow has any parameters
that need to be supplied by the user running the workflow on demand. If the workflow has
no parameters that require user input, then the Web Interface starts the workflow without
prompting you for parameter values.
Once you have started an automation workflow, the Web Interface opens a run history
report allowing you to examine the progress of the workflow run. The report displays the
workflow run status along with information about the activities performed during workflow
run. For a workflow that is in progress, you have the option to cancel its run by clicking the
Terminate button.
After the workflow is completed, the report retains history information about the workflow
run. For each completed run of the workflow, the report allows you to identify when and by
whom the workflow was started, when the workflow was completed, and what parameter
values were used.
The report also lists the workflow activities that were executed during the workflow run. For
each activity, you can determine whether the activity was completed successfully or
returned an error. In case of error, the report provides an error description. For activities
requesting changes to directory data (for example, activities that create new objects or
modify existing objects), you can examine the requested changes in detail by clicking the
Operation ID number in the run history report.
To view run history of an automation workflow in the Web Interface
1. On the Navigation bar, click Directory Management.
2. On the Tree tab in the Browse pane, expand the Workflow branch and click the
container that holds the desired workflow.
3. In the list of objects, select the desired workflow.
In the Command pane, click Run History.
Active Roles 8.1.3 Web Interface Configuration Guide
33
Performing Management Tasks
Managing temporal group memberships
By using temporal group memberships, you can manage group memberships of objects
such as user or computer accounts that need to be members of particular groups for only a
certain time period. This feature gives you flexibility in deciding and tracking what objects
need group memberships and for how long.
This section guides you through the tasks of managing temporal group memberships in the
Web Interface. If you are authorized to view and modify group membership lists, then you
can add, view and remove temporal group members as well as view and modify temporal
membership settings on group members.
Adding temporal members
A temporal member of a group is an object, such as a user, computer or group, scheduled
to be added or removed from the group. You can add and configure temporal members
using the Web Interface.
To add temporal members of a group
1. In the Web Interface, select the group, then choose the Members command.
2. On the Members page, click Add.
3. In the Select Object dialog box find and select the objects that you want to make
temporal members of the group, then click Temporary Access.
4. In the Temporal Membership Settings dialog, choose the appropriate options,
then click OK:
l To have the temporal members added to the group on a certain date in the
future, select On this date under Add to the group, and choose the date and
time you want.
l To have the temporal members added to the group at once, select Now under
Add to the group.
l To have the temporal members removed from the group on a certain date,
select On this date under Remove from the group, and choose the date
and time you want.
l To retain the temporal members in the group for indefinite time, select Never
under Remove from the group.
NOTE: You can make an object a temporal member of particular groups by
managing the object rather than the groups. Select the object, then choose the
Member Of command. On the Member Of page, click Add. In the Select Object
dialog, find and select the groups, and specify the temporal membership settings
as appropriate for your situation.
Active Roles 8.1.3 Web Interface Configuration Guide
34
Performing Management Tasks
Viewing temporal members
In the list of group members displayed by the Web Interface, you can distinguish between
regular and temporal group members. It is also possible to hide or display pending
members, the temporal members that are scheduled to be added to the group in the
future but are not actual members of the group so far.
To view temporal members of a group
1. In the Web Interface, select the group, and then choose the Members command.
2. Review the list on the Members page:
l An icon of a small clock overlays the icon for the temporal members.
l If the Show pending members check box is selected, the list also includes
the temporal members that are not yet added to the group.
The list of group memberships for a particular object makes it possible to distinguish
between the groups in which the object is a regular member and the groups in which the
object is a temporal member. It is also possible to hide or display so-called "pending group
memberships", the groups to which the object is scheduled to be added in the future.
To view groups in which an object is a temporal member
1. In the Web Interface, select the object, and then choose the Member Of command.
2. Review the list on the Member Of page:
l An icon of a small clock overlays the icon for the groups in which the object is a
temporal member.
l If the Show pending group memberships check box is selected, the
list also includes the groups to which the object is scheduled to be added
in the future.
Rescheduling temporal group memberships
The temporal membership settings on a group member include the start time and end
time settings.
The start time setting specifies when the object is to be actually added to the group. This
can be specific date and time or an indication that the object should be added to the group
right away.
The end time setting specifies when the object is to be removed from the group. This
can be specific date and time or an indication that the object should not be removed
from the group.
You can view or modify both the start time and end time settings using the Web Interface.
Active Roles 8.1.3 Web Interface Configuration Guide
35
Performing Management Tasks
To view or modify the start or end time setting for a member of a group
1. In the Web Interface, select the group, then choose the Members command.
2. In the list on the Members page, select the member, then click the Temporary
Access button.
3. Use the Temporal Membership Settings dialog to view or modify the start or end
time settings.
The Temporal Membership Settings dialog box provides the following options:
l Add to the group > Now Indicates that the object should be added to the
group at once.
l Add to the group > On this date Indicates the date and time when the object
should be added to the group.
l Remove from the group > Never Indicates that the object should not be removed
from the group.
l Remove from the group > On this date Indicates the date and time when the
object should be removed from the group.
Regular members have the Add to group and Remove from group options set to
Already added and Never, respectively. You can set a particular date for any of these
options in order to convert a regular member to a temporal member.
NOTE:
l You can view or modify the start time and end time settings by managing an object
rather than the groups in which that object has memberships. Select the object,
then choose the Member Of command. On the Member Of page, select the group
for which you want to manage the start or end time setting of the object and click
Temporary Access.
l On the Members or Member Of page, you can change the start or end time
setting for multiple members or groups at a time. On the page, select multiple list
items, click Temporary Access, and in the Temporal Membership Settings
dialog box, make the changes you want.
Removing temporal members
You can remove temporal group members in the same way as regular group members.
Removing a temporal member of a group deletes the temporal membership settings for
that object with respect to that group. As a result, the object will not be added to the
group. If the object already belongs to the group at the time of removal, then it is
removed from the group.
To remove a temporal member of a group
1. In the Web Interface, select the group, then choose the Members command.
2. On the Members page, select the member, and click Remove.
Active Roles 8.1.3 Web Interface Configuration Guide
36
Performing Management Tasks
NOTE: You can remove an object that is a temporal member of a group by managing the
object rather than the group. Select the object, then choose the Member Of command.
On the Member Of page, select the group from the list and click Remove.
Managing AD LDS data
You can use the Web Interface to manage directory data in Microsoft Active Directory
Lightweight Directory Services (AD LDS). Similarly to Active Directory domains, directory
data can be managed in only the AD LDS instances that are registered with Active Roles
(managed AD LDS instances).
The application directory partitions found on the managed AD LDS instances are grouped
together in the AD LDS (ADAM) container, thus making it easy to locate the AD LDS data.
Each directory partition is represented by a separate container (node) so you can browse
the partition tree the same way you do for an Active Directory domain.
The Web Interface supports a wide range of administrative operations on AD LDS users,
groups and other objects, so you can create, view, modify, and delete directory objects,
such as users, groups, containers and organizational units, in AD LDS the same way you do
when managing data in Active Directory.
To browse the directory tree in AD LDS directory partitions
1. On the Navigation bar, click Directory Management.
2. In the Browse pane, click the Tree tab.
3. On the Tree tab, do the following:
a. Expand the AD LDS (ADAM) container.
b. Under AD LDS (ADAM), expand a directory partition object to view its top-
level containers.
c. Expand a top-level container to view the next level of objects in that container.
4. Do one of the following:
l To move down a directory tree branch, continue expanding the next lowest
container level on the Tree tab.
l To administer a directory object at the current directory level, click a container
on the Tree tab and use the instructions that follow.
To manage directory data in AD LDS
1. On the Tree tab in the Browse pane, under AD LDS (ADAM), click the container that
holds the data you want to manage.
2. In the list of objects, select the object that represents the directory data you
want to manage.
3. Use commands in the Command pane to perform management tasks.
Active Roles 8.1.3 Web Interface Configuration Guide
37
Performing Management Tasks
NOTE: In the list of objects, clicking the name of a leaf object, such as a user or group,
displays a page intended to view or modify object properties; clicking a container
object, such as a partition or an Organizational Unit, displays a list of objects held in
that container.
Managing computer resources
You can use the Web Interface to manage the following computer resources:
l Services Start or stop a service, view or modify properties of a service.
l Network file shares Create a file share, view or modify properties of a file share,
stop sharing a folder.
l Logical printers Pause, resume or cancel printing, list documents being printed,
view or modify properties of a printer.
l Documents being printed (print jobs) Pause, resume, cancel or restart printing
of a document, view or modify properties of a document being printed.
l Local groups Create or delete a group, add or remove members from a group,
rename a group, view or modify properties of a group. Unavailable on domain
controllers.
l Local users Create or delete a local user account, set a password for a local user
account, rename a local user account, view or modify properties of a local user
account. Unavailable on domain controllers.
l Devices View or modify properties of a logical device, start or stop a logical device.
To manage computer resources
1. In the Web Interface, locate the computer that hosts resources you want to
manage. For instructions on how to locate objects in the Web Interface, see Locating
directory objects.
2. Select the computer in the list of objects, then click Manage in the Command pane.
3. In the list of resource types, click the type of resource you want to manage.
4. In the list of objects that appears, select the resource you want to manage.
5. Use commands in the Command pane to perform management tasks on the
selected resource.
To manage print jobs
1. Repeat Steps 1–2 of the previous procedure, to start managing computer resources.
2. In the list of resource types, click Printers to view a list of printers found on the
computer you selected.
3. In the list of printers, select a printer whose print jobs you want to manage.
4. In the Command pane, click Print Jobs to view a list of documents being printed.
Active Roles 8.1.3 Web Interface Configuration Guide
38
Performing Management Tasks
5. In the list of documents, select a document to pause, resume, restart, or
cancel printing.
6. Use commands in the Command pane to perform management tasks on the
selected document.
Restoring deleted objects
The Web Interface can be used to restore deleted objects in any managed domain that is
configured to enable Active Directory Recycle Bin, a native Active Directory Domain
Services feature.
To undo deletions, Active Roles relies on the ability of Active Directory Recycle Bin to
preserve all attributes, including the link-valued attributes, of the deleted objects. This
makes it possible to restore deleted objects to the same state they were in immediately
before deletion. For example, restored user accounts regain all group memberships that
they had at the time of deletion.
This section provides instructions on how to restore deleted objects by using the Web
Interface. For more information, see Recycle Bin in the Active Roles Administration Guide.
Locating deleted objects
If Active Directory Recycle Bin is enabled in a managed domain, the Web Interface provides
access to the Deleted Objects container that holds the deleted objects from that domain.
On the Tree tab in the Browse pane, the Deleted Objects container appears at the same
level as the domain object, under the Active Directory node. If multiple managed
domains have Active Directory Recycle Bin enabled, then a separate container is displayed
for each domain. To tell one container from another, the name of the container includes the
domain name (for example, MyDomain.MyCompany.com - Deleted Objects).
When you select the Deleted Objects container, the Web Interface lists all the deleted
objects that exist in the corresponding domain. The list can be sorted or filtered as
appropriate to locate particular objects (see Managing the list of objects). If you click an
object in the list, a menu appears that displays all actions you can perform on that object.
Searching the Deleted Objects container
To locate deleted objects
1. Start a search in the Deleted Objects container
2. On the Tree tab in the Browse pane, click the Deleted Objects container.
3. In the Command pane, click Search under this container.
Active Roles 8.1.3 Web Interface Configuration Guide
39
Performing Management Tasks
4. Specify criteria for the deleted objects that you want to find:
l To search by naming properties, type in the Search field on the Toolbar. The
Web Interface will search for objects whose naming properties match what you
typed. The naming properties include name, first name, last name, display
name, and login name.
l To search by other properties, click the button on the right side of the Toolbar
to expand the Toolbar, click Add criteria, choose the properties by which you
want to search, click Add, and then configure the criteria as appropriate. The
Web Interface will search for objects that match the criteria that you
configured.
5. To start the search, press Enter.
Locating objects deleted from a certain OU or MU
To view a list of objects that were deleted from a particular Organizational Unit (OU) or
Managed Unit (MU), you can use the View or Restore Deleted Objects command. The
command opens a page that lists the deleted objects that were direct children of the
corresponding OU or MU at the time of deletion.
To view a list of objects that were deleted from a particular OU or MU
1. Select the OU or MU that held deleted objects you want to view.
2. In the Command pane, click View or Restore Deleted Objects.
The Web Interface lists the objects that were deleted from the OU or MU you selected. The
list can be sorted or filtered as appropriate to locate particular objects (see Managing the
list of objects).
NOTE: The View or Restore Deleted Objects command is also available on domain
and container objects.
Restoring a deleted object
You can restore deleted objects by using the Restore command that is available in the
Command pane when you select a deleted object in the Web Interface.
To restore a deleted object
1. In a list of deleted objects, select the object you want to undelete. For instructions on
how to build a list deleted objects, see Locating deleted objects.
2. In the Command pane, click Restore.
3. Review and, if necessary, change the settings in the Restore Object dialog box,
then click OK to start the restore process.
The Restore Object dialog box prompts you to choose whether the deleted child objects
(descendants) of the deleted object should also be restored. The Restore child objects
Active Roles 8.1.3 Web Interface Configuration Guide
40
Performing Management Tasks
check box is selected by default, which ensures that the Restore command applied on a
deleted container restores the entire contents of the container.
NOTE: When restoring a deleted object, ensure that its parent object is not deleted. You
can identify the parent object by viewing properties of the deleted object: the canonical
name of the parent object, preceded by the Deleted from label, is displayed beneath the
name of the deleted object on the property page for that object. If the parent object is
deleted, you need to restore it prior to restoring its children because deleted objects must
be restored to a live parent.
Active Roles 8.1.3 Web Interface Configuration Guide
41
Performing Management Tasks
7
Using Approval Workflow
This section describes how to use the Approval workflow features of Active Roles in the
Web Interface.
l Understanding approval workflow
l Locating approval items
l Using “My Tasks”
l Using “My Operations”
Understanding approval workflow
The approval workflow system included with Active Roles provides:
l A point-and-click interface to configure approval rules, available from the Active
Roles console. The approval rules are stored and performed by the Active Roles
Administration Service.
l The directory management section of the Web Interface for submitting operation
requests for approval. For example, approval rules could be configured so that
creation of a user account starts an approval workflow instead of immediately
executing the user creation operation. For information on how to use the directory
management section, seeManaging Active Directory objects.
l The Approval area of the Web Interface to manage operation requests and
approvals. This area includes a “to-do” list of the approval tasks the designated user
has to carry out, allowing the user to approve or reject operation requests.
The Approval area provides a way to perform change approval actions, allowing you to
control changes to directory data that require your approval and monitor your operations
that require approval by other persons. You can use the Approval area to:
l Perform approval tasks—approve or reject operations so as to allow or deny the
requested changes to directory data. Examples of operations include (but not limited
to) creation and modification of user accounts or groups.
Active Roles 8.1.3 Web Interface Configuration Guide
42
Using Approval Workflow
l Check the status of your operations—examine whether the changes to directory data
you requested are approved and applied, or rejected.
When a Web Interface user makes changes to directory data that require permission from
other individuals in an organization, the changes are not applied immediately. Instead, an
operation is initiated and submitted for approval. This starts a workflow that coordinates
the approvals needed to complete the operation. The operation is performed and the
requested changes are applied only after approval. An operation may require approval from
one person or from multiple persons.
When an operation is submitted for approval, Active Roles tracks the initiator and the
approver or approvers. The initiator is the person who requested the changes. Approvers
are those who are authorized to allow or deny the changes. An operation that requires
approval generates one or more approval tasks, with each approval task assigned to the
appropriate approver. Active Roles administrators configure approval workflow by creating
approval rules to specify what changes require approval and who is authorized to approve
or deny change requests.
In the Approval area, you can work with the operations for which you are assigned to the
approver role. As an approver, you are expected to take appropriate actions on your
approval tasks.
To access the Approval area
1. Open the Active Roles Web Interface.
2. On the Web Interface Home page, click Approval.
Locating approval items
The Approval area provides a number of views to help you locate approval items—tasks
and operations:
l My Tasks Contains detailed entries representing the approval tasks assigned to you.
Depending on their status, the approval tasks are distributed into two views. The
Pending view allows you to manage the approval tasks awaiting your response. The
Completed view lists your approval tasks that have been completed.
l My Operations The Recent view lists your recent operations that required
approval, and allows you to examine the status and details pertinent to each
operation.
In addition to using the predefined views, you can locate operations and tasks by using the
search function.
To search for an operation or task by ID
1. In the right pane of the Web Interface page, under the Search label, type the ID
number of the operation or task in the Search by ID box.
2. Click the button next to the Search by ID box to start the search.
Active Roles 8.1.3 Web Interface Configuration Guide
43
Using Approval Workflow
You can also search for approval items (operations and tasks) by properties other than
ID. For instance, you can find the operations that were initiated by a specific user.
Another example is the ability to locate approval tasks generated within a specific time
period. To access the advanced search function, click Advanced Search under the
Search label. Then, use the Advanced Search page to configure your search settings
and start a search.
Advanced search is the most comprehensive way to search for approval items such as
operations and tasks. Use it to find approval items based on their properties. You do this by
creating queries, which are sets of one or more rules that must be true for an item to be
found. An example of a query for operations is Initiator is (exactly) John Smith. This
specifies that you are searching for operations that have the Initiator property set to the
John Smith user account.
With advanced search, you can use conditions and values to search for approval items
based on item properties (referred to as “fields” on the search page). Conditions are
limitations you set on the value of a field to make the search more specific. Each type of
item has a set of relevant fields and each type of field has a set of relevant conditions that
advanced search displays automatically.
Some fields, such as Target object property require that you select a property to further
define your search. In this case, you configure a query to search for operations or tasks
specific to the approval of changes to the objects based on a certain property of those
objects. For example, to find the operations that request any changes to the Description
property, you could select the Target object property field, select the Description
property, then choose the Modified condition.
Some conditions require a value. For example, if you select a Date field, the Is between
condition requires a date range value so you have to select a start date and an end date to
specify a date range. Another example is the Initiator field, which requires that you select a
user account of the Initiator role holder.
In some cases, a value is not required. For example, if you select the Modified condition,
no value is necessary, since this condition means that you want your search to be based on
any changes to a certain property, without considering what changes were actually
requested or made to the property value.
Using “My Tasks”
You can use the My Tasks area to work with the approval tasks assigned to you as an
approver. According to their status, the tasks are distributed into two views: Pending
and Completed.
l For information about the Pending view, see Pending tasks.
l For information about the Completed view, see Completed tasks.
Active Roles 8.1.3 Web Interface Configuration Guide
44
Using Approval Workflow
Pending tasks
The Pending view contains a list of your approval tasks to be completed. Each task in the
list is identified by a header area that provides basic information about the task such as a
unique ID number of the task, who requested the operation that is subject to approval,
when the task was created, the time limit of the task (if any), and the target object of the
operation. In the middle of a task’s header area is a section that contains the title of the
task (Approve operation by default), a label indicating the status of the task, and
summary information about the operation that is subject to approval.
The task’s header area contains the action buttons you can use to apply the appropriate
resolution to the approval task. The action buttons are displayed at the bottom of the
header area. Which buttons are displayed depends upon configuration of the approval rule.
You may encounter the following action buttons there:
l Approve Click this button to allow the requested operation.
Depending on configuration of the approval and policy rules, the Web Interface may
request you to enter additional information that must be added to the operation
request. For example, when you approve the operation of creating a user account,
you may have to supply certain properties of the user account in addition to those
supplied by the administrator who requested creation of that user account. If
additional information is required, clicking Approve displays a page where you can
supply the required information. You can also access that page by clicking the
Examine task button.
l Reject Click this button to deny the requested operation.
l Escalate Click this button to assign the approval task to an approver of a
higher level.
This button is displayed if the approval rule has one or more approver levels (referred
to as escalation levels) configured in addition to the initial approver level. Escalation
levels are normally used to assign (escalate) the approval task automatically to the
approver of a higher level if the task is not completed in time. The approval rule may
be configured to allow approvers to escalate approval tasks as needed, in which case
the task’s header area contains the Escalate button.
l Delegate Click this button to assign the approval task to a different person. You can
select the user account of the person to whom you want to assign the task.
This button is displayed if the approval rule is configured with the option to allow
approvers to reassign (delegate) their approval tasks to others.
l Custom buttons The approval rule may add custom buttons to the task’s header
area. The action that Active Roles performs when you click a custom button depends
upon configuration of the workflow containing the approval rule. The administrator
who configures the workflow should normally supply an instruction on the use of
custom action buttons. To view the instruction, click the Examine task button. This
opens a page containing the same action buttons that you see in the task’s header
area. The instruction text is displayed above the action buttons on that page.
The task’s header area contains the Examine task button allowing you to get detailed
information about the task, review the object properties submitted for approval, and supply
Active Roles 8.1.3 Web Interface Configuration Guide
45
Using Approval Workflow
or change additional properties. Clicking the Examine task button displays a page
containing a replica of the task’s header area, the action buttons, and a number of
information sections. Review the information on the page, supply or change the object
properties for which the task requests your input, and then click the appropriate action
button.
The page that appears when you click the Examine task button includes the following
information sections:
l Object properties
The contents of this section heavily depends upon configuration of the approval rule.
Thus the approval rule may request you to enter additional information that must be
added to the operation request. For example, when you approve the operation of
creating a user account, you may have to supply certain properties of the user
account in addition to those supplied by the administrator who requested creation of
that user account. In this case, enter the requested properties in the fields under
Supply or change the following properties.
Normally, the approval rule is configured so that the approver is allowed to review
the values of the object properties that were supplied or changed by the operation
that is subject to approval. The approval rule may also be configured to allow the
approver to change those property values. In either case, you can view or change
them in the fields under Review the properties submitted for approval.
l Approvers
This section displays a list of the user accounts or groups to which the approval task
is currently assigned. Any of the listed users or members of the listed groups can act
as an approver on the task in question.
l Approval progress
This section provides information on the date and time that the task was created and
whether the task was escalated to a higher approver level or reassigned (delegated)
to other persons. If the task was escalated, you can view when escalation occurred
and what caused escalation. If the task was reassigned (delegated), you can view
who and when delegated the task and to whom the task was delegated.
l Details
In this section you can view aggregated information about the approval task
properties and configuration, and some details of the operation that the task is
intended to allow or deny. The Operation ID filed provides a link to a page where
you can examine the operation in more detail.
To complete a pending task
1. Click Examine task in the task’s header area.
2. On the Object properties page, review, supply or change the object properties for
which the task requests your input, and then click the appropriate action button.
You can also complete a task by clicking the appropriate action button in the task’s header
area. However, if the current policy and approval rules require the approver to supply some
additional information, the Web Interface would open the Object properties page,
prompting you to configure the required properties.
Active Roles 8.1.3 Web Interface Configuration Guide
46
Using Approval Workflow
Completed tasks
The Completed view contains a list of your approval tasks that are completed and do not
require approver action. Each task in the list is identified by a header area that provides
basic information about the task such as a unique ID number of the task, who requested
the operation that is subject to approval, when the task was created, and the target object
of the operation. In the middle of a task’s header area is a section that contains the title of
the task (Approve operation by default), a label indicating the status of the task, and
summary information about the operation that was subject to approval. The header area
also identifies the approver action that was applied to complete the task and the completion
reason, if any, specified by the approver who completed the task.
The task’s header area contains the Examine task button allowing you to get detailed
information about the task and review the object properties that were submitted for
approval or changed by the approver who completed the task. Clicking the Examine task
button displays a page containing a replica of the task’s header area and the following
information sections:
l Object properties: The contents of this section heavily depends upon configuration
of the approval rule. Thus the approval rule may request the approver to enter
additional information that must be added to the operation request. For example,
when you approve the operation of creating a user account, you may have to supply
certain properties of the user account in addition to those supplied by the
administrator who requested creation of that user account. The values of the
properties supplied by the approver are displayed in the fields under Supply or
change the following properties.
Normally, the approval rule is configured so that the approver is allowed to review
the values of the object properties that were supplied or changed by the operation
that is subject to approval. The approval rule may also be configured to allow the
approver to change those property values. In either case, you can view them in the
fields under Review the properties submitted for approval.
l Approvers: This section displays a list of the user accounts or groups to which the
approval task was assigned.
l Approval progress: This section provides information on the date and time that the
task was created, and whether the task was escalated to a higher approver level or
reassigned (delegated) to other persons. If the task was escalated, you can view
when escalation occurred and what caused escalation. If the task was reassigned
(delegated), you can view who and when delegated the task and to whom the task
was delegated.
The Task completed sub-section indicates the date and time that the task was
completed, identifies the approver who completed the task and the approver action
that was applied to complete the task, and lists the values of the object properties
that were supplied or changed by the approver.
l Details: In this section you can view aggregated information about the approval task
properties and configuration, and some details of the operation that was allowed or
denied by the completed task. The Operation ID filed provides a link to a page
where you can examine the operation in more detail.
Active Roles 8.1.3 Web Interface Configuration Guide
47
Using Approval Workflow
Using “My Operations”
In the My Operations area, the Recent view lists your operation requests that are
waiting for approval from other individuals, as well as those allowed (approved) or
denied (rejected) by the approver. You can use this view to monitor the status of your
requests. You also have the option to cancel any of your requests that are not yet
approved or rejected.
Each operation listed in the Recent view is identified by a header area that provides basic
information about the operation such as a unique ID number of the operation, when and by
whom the operation was requested, and the target object of the operation. A section in the
middle of the operation header contains a summary of the operation, operation status and
an operation reason that was supplied when the operation was submitted for approval.
The operation summary identifies the operation type (such as Create user or Change
user) and may provide information about the changes to the object properties that result
from the operation. From the operation status you can tell whether the operation is waiting
for approval (pending), allowed (completed), denied (rejected) or canceled. If a given
operation is waiting for approval, you can remove the operation request by clicking the
Cancel operation button.
The operation header contains the View operation details button allowing you to get
detailed information about the operation and review the object properties that were
submitted for approval or changed by the approver who allowed the operation. Clicking the
Examine task button displays a page that contains a replica of the operation header and
the following information sections under the operation header:
l Properties changed during this operation: This section lists the object property
values that were changed as a result of the operation, new values assigned to the
properties, and identifies who made the changes.
l Workflow activities and policy actions: This section provides detailed
information about all policies and workflows that Active Roles performed when
processing the operation request, including information about the approval tasks
created as a result of approval workflow activities. For each approval task, you can
view the status of the task along with aggregated information about the properties
and configuration of the task.
From the task status you can tell whether the task is waiting for completion
(pending), completed to allow the operation or rejected to deny the operation. From
the additional information about a task, you can identify, for instance, the approvers
to whom the task is assigned, the due date of the task, the approver who allowed or
denied the operation and what changes, if any, the approver made to the original
operation request.
l Operation details: This section contains additional information about the operation,
including when and by whom the operation was requested, the target object of the
operation, the current status of the operation, and the date and time that the record
of the operation was last updated.
Active Roles 8.1.3 Web Interface Configuration Guide
48
Using Approval Workflow
8
Customizing the Web Interface
Active Roles Web Interface supports customizing its various components (including the
Navigation bar, the Home page and the contents of the various pages) to adapt the feature
to the needs of your organization.
For more details, see the following subsections:
l About Web Interface customization
l Web Interface customization terms
l Configuring Web Interface menus
l Configuring Web Interface commands
l Configuring Web Interface forms
l Web Interface customization examples
l Web Interface global settings
l Customizing the Web Interface Navigation bar
l Customizing the Web Interface Home page
l Configuring Web Interface for enhanced security
About Web Interface customization
The Web Interface gives Active Roles administrators the ability to customize menus,
commands, and forms that are used for managing directory objects. Active Roles
administrators can add and remove commands or entire menus, assign tasks and
forms to commands, modify forms used to perform tasks, and create new commands,
tasks, and forms.
NOTE: The Active Roles administrators are members of the Active Roles Admin account,
specified during configuration of the Active Roles Administration Service. By default, the
Active Roles Admin account is the Administrators local group on the computer running
the Administration Service.
Before you start customizing the Web Interface, consider the following:
Active Roles 8.1.3 Web Interface Configuration Guide
49
Customizing the Web Interface
l The customization settings are saved as part of the Active Roles configuration. When
you customize a Web Interface site, your changes are in effect on all the other Web
Interface sites that share the configuration you are changing.
l After you have performed any customization of a Web Interface site, you must
publish the new configuration to the Web server. To do this, open the Web Interface
site in your Web browser, expand Customization on the Navigation bar, and then
click Reload. This operation must be performed on each of the Web Interface sites
that share configuration with the site you have customized.
l The Reload command causes the Web Interface to retrieve the new configuration
data from the Administration Service and update the local copy of the configuration
data on the Web server that hosts the Web Interface site. When configuration data
changes because of any customization-related actions the changes have no effect on
the Web Interface site until they are transferred to the local copy on the Web server.
Use the Reload command to get the local copy properly updated.
l You can discard the customization of the Web Interface site, and restore the default
menus, commands, and forms that were initially installed with the Web Interface. To
do this, expand Customization on the Navigation bar and click Restore Default.
Web Interface customization terms
This section briefly describes the Web Interface elements that support customization:
menus, commands, forms, tabs, and entries.
The following figure shows the items you can customize.
Active Roles 8.1.3 Web Interface Configuration Guide
50
Customizing the Web Interface
Figure 1: Web Interface elements supporting customization
Menu
A menu represents a set of commands (directives) associated with objects of a certain
type, and used to manage those objects. Examples: the User menu, the Group menu, the
Contact menu.
For each object type, such as User or Group, the Command pane displays a menu of
commands. You can customize a menu by adding or removing commands.
Command
A command is an instruction that, when issued by a user, causes an action to be carried
out. Web Interface users select commands from a menu in the Command pane. Some
examples of commands are New User on the Organizational Unit menu, General
Properties on the User menu and Members on the Group menu.
Each command is intended to perform a certain task, such as displaying property pages.
You can customize pages associated with a command.
Active Roles 8.1.3 Web Interface Configuration Guide
51
Customizing the Web Interface
Form
A form is a structured page with predefined areas for entering and changing information. A
form consists of elements such as text boxes, check boxes, option buttons, and command
buttons. Form elements allow users to perform actions, make choices, and identify and
enter information. A form is a set of pages (tabs) associated with a command that requires
data entry. You can customize a form by adding or removing tabs and entries.
Tabs
Since an object normally has a large number of properties, it may be necessary to
categorize and group properties within a form. A tab represents a group of properties
located on a separate page, such as General, Address or Account on the Properties
form for User objects. By clicking tabs, you can access pages to view or modify properties.
You can add or remove tabs from a form, and change the order of tabs.
Entry
An entry is a group of elements on a form that are intended to view or modify a
property of an object. For example, the First name entry is used to manage the value
of the givenName property. You can add or remove entries from a form, and change
the order of entries.
Link to Form Editor
The Customize link is used to open the form in the Form Editor:
Active Roles 8.1.3 Web Interface Configuration Guide
52
Customizing the Web Interface
Figure 2: Form Editor
The Form Editor displays all tabs that make up a form, along with the entries disposed on
each tab, and provides a central place to add, remove, or modify tabs and entries, as well
as to change the order of tabs and entries on the form.
Focus item
Focus item identifies the object you are customizing. A list of menus, a menu, a command,
a form, a tab and an entry are the examples of focus items. To identify a focus item, the
Web Interface displays the name of the item and an icon indicating the type of the item.
Form Editor Toolbar
You can use the toolbar to make changes to the form. The toolbar includes the
following buttons:
l Move Up Moves the selected items up one level in the list.
l Move Down Moves the selected items one level lower in the list.
l Delete Removes the selected items.
l New Tab Adds a tab to the form.
l Add Entry Adds an entry to the tab.
Active Roles 8.1.3 Web Interface Configuration Guide
53
Customizing the Web Interface
List of entries
You can change the order of entries on a tab by selecting check boxes in the list of entries,
then clicking Move Up or Move Down on the toolbar. You can also view or modify
properties of an entry by clicking the Edit icon next to the name of the entry.
Form Editor Tab
Click a tab to view or modify entries on that tab. You can change the order of tabs by
selecting check boxes next to tab names, and then clicking Move Up or Move Down on
the toolbar. You can also view or modify properties of a tab by clicking the Edit icon next to
the name of the tab.
Configuring Web Interface menus
For each object type, such as User, Group or Computer, the Command pane displays a
menu that represents a list of commands associated with that object type. You can
customize a menu by adding or removing commands.
To navigate to the List Existing Menus page
1. Open the Active Roles Web Interface.
2. On the Web Interface home page, click Customization, then click
Customization Tasks.
Alternatively, on the Navigation bar, expand Customization, then click
Directory Objects.
The List Existing Menus page displays a list of menus. You can click the name of a menu
in the list to view a list of commands included in the menu.
Creating a Web Interface menu
You can create new Web Interface menus with the Customization option of the Active
Roles Web Interface.
To create a Web Interface menu
1. Navigate to the List Existing Menus page. To do so, expand Customization on the
Navigation bar, then click Directory Objects.
2. In the right pane, click Create New Menu.
3. In the Object type list, click an object type. Then, click Finish.
Active Roles 8.1.3 Web Interface Configuration Guide
54
Customizing the Web Interface
The Web Interface creates a menu for the object type you selected. The menu has
the same name as the object type.
4. Click Reload to publish your changes.
Deleting a Web Interface menu
You can delete existing Web Interface menus with the Customization setting of the Active
Roles Web Interface.
To delete a Web Interface menu
1. Navigate to the List Existing Menus page. To do so, expand Customization on the
Navigation bar, then click Directory Objects.
2. On the List Existing Menus page, click the name of the menu you want to delete.
3. In the right pane, click Delete Menu.
4. Click Reload to publish your changes.
Adding a command to a Web Interface menu
You can add new commands to an existing Web Interface menu with the Customization
settings of the Active Roles Web Interface
To create a new command on a menu
1. Navigate to the List Existing Menus page. To do so, expand Customization on the
Navigation bar, then click Directory Objects.
2. On the List Existing Menus page, click the name of the menu to which want to add
the command.
3. In the right pane, click Create New Command.
4. In the Command type list, click one of the following:
l Form Task: Creates a command to open a form.
l Page View Task: Creates a command to open a custom page.
l Search Task: Creates a command to perform a search.
l Set Attribute Task: Creates a command to assign a certain value to a certain
attribute of directory objects.
5. Click Next.
6. Specify general properties of the command, such as the command name and
description.
7. Specify command properties specific to the type of the command:
Active Roles 8.1.3 Web Interface Configuration Guide
55
Customizing the Web Interface
l If you have selected Page View Task, specify the address (URL) of the
resource, such as a Web page, that you want the command to open.
l If you have selected Search Task, specify the parameters of the search you
want the command to perform. You can also set up the configuration of the list
of search results.
l If you have selected Set Attribute Task, choose the attribute you want the
command to set and specify the value you want the command to assign to
that attribute.
8. Click Finish.
9. Click Reload to publish your changes.
To add an existing command to a menu
1. On the List Existing Menus page, click the name of the menu to which want to add
the command.
2. In the right pane, click Add Existing Command.
3. In the list of existing commands, click the command you want to add to the menu.
NOTE: The list includes commands that exist in the configuration of the Web
Interface site. AS such, it also includes commands that were deleted from
menus, so you can use the Add Existing Command function to restore a
command on a menu.
4. Click Save.
5. Click Reload to publish your changes.
Removing commands from a Web
Interface menu
You can remove existing Web Interface commands from a menu page with the
Customization setting of the Active Roles Web Interface.
To remove commands from a Web Interface menu
1. Navigate to the List Existing Menus page. To do so, expand Customization on the
Navigation bar, then click Directory Objects.
2. On the List Existing Menus page, click the name of the menu from which want to
remove commands.
3. In the list of commands, select check boxes to mark the commands you want
to remove.
4. On the toolbar at the top of the list, click Delete.
5. Click Reload to publish your changes.
Active Roles 8.1.3 Web Interface Configuration Guide
56
Customizing the Web Interface
Setting the default command on a Web
Interface menu
You can set the default command for an existing Web Interface menu with the
Customization setting of the Active Roles Web Interface.
To set the default command on a Web Interface menu
On the List Existing Menus page, click the name of the menu you want to modify.
1. Navigate to the List Existing Menus page. To do so, expand Customization on the
Navigation bar, then click Directory Objects.
Then, on the List Existing Menus page, click the name of the menu you
want to modify.
2. In the right pane, click Default Command.
3. Click Choose.
4. Click the command you want to be used by default, then click OK.
5. Click Save.
6. Click Reload to publish your changes.
NOTE: The Web Interface runs the default command for an object when the user clicks
the name of that object in a list. For example, since View Contents is set as the default
command for container objects, the Web Interface lists the objects held in the container
when you click the name of a container in a list of objects.
Adding a separator to a Web Interface menu
You can add menu separators to existing Web Interface menus with the Customization
setting of the Active Roles Web Interface.
To add a separator to a Web Interface menu
1. Navigate to the List Existing Menus page. To do so, expand Customization on the
Navigation bar, then click Directory Objects.
2. On the List Existing Menus page, click the name of the menu you want to modify.
3. In the right pane, click Add Separator.
This adds the <Separator> item to the list of menu commands.
4. Adjust the position of the separator on the menu. To do so, select the check box next
to the separator in the list of commands, then click Move Up or Move Down on the
toolbar at the top of the list.
5. Click Reload to publish your changes.
NOTE: Consider the following when configuring separators for a Web Interface menu:
Active Roles 8.1.3 Web Interface Configuration Guide
57
Customizing the Web Interface
l Separators are used to group related commands on a menu, to make the menu
easier to read.
l If necessary, you can remove separators. To do so, in the list of commands, select
the check boxes to mark the separators you want to remove, then click Delete on
the toolbar at the top of the list.
Changing the order of commands on a Web
Interface menu
You can change the order of commands in a Web Interface menu with the Customization
setting of the Active Roles Web Interface.
To change the order of commands in a Web Interface menu
1. Navigate to the List Existing Menus page. To do so, expand Customization on the
Navigation bar, then click Directory Objects.
2. On the List Existing Menus page, click the name of the menu you want to modify.
3. In the list of commands, select check boxes to mark the commands you want
to move.
4. Click Move Up or Move Down on the toolbar at the top of the list.
5. Click Reload to publish your changes.
Configuring Web Interface forms
A form is a set of pages associated with a command that requires data entry. You can
customize a form by adding or removing entries.
Each entry is intended to view or modify certain portions of directory data referred
to as object attributes or properties. You can rearrange entries or adjust their
behavior as needed.
To start customizing a form, you must first open that form in the Form Editor.
To open a Web Interface form in the Form Editor
1. On the Web Interface home page, click Customization, then click
Customization Tasks.
Alternatively, in the Navigation bar, expand Customization, then click
Directory Objects.
2. In the list of menus, click the menu that contains the command linked with the form
you want to configure.
Active Roles 8.1.3 Web Interface Configuration Guide
58
Customizing the Web Interface
3. In the list of commands, click the command that is linked with the form you want
to configure.
4. In the right pane, click Edit Form. If no form is linked with the command you
selected, the right pane does not contain the Edit Form command.
NOTE: You can also open a form in the Form Editor by navigating to the Web Interface
page that you want to configure, then clicking Customize.
Viewing or modifying the properties of a
Web Interface form
You can view or modify the properties of a Web Interface form with the Form Editor,
available in the Customization menu.
To view or modify properties of a Web Interface form
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. In the right pane, click Properties.
3. Modify properties of the form, if needed, and click Save.
4. Click Reload to publish your changes.
You can view or modify the following properties of a form:
l Name: The text that identifies the form. When a form is linked with a command, the
Form name property of the command is set to the name of the form.
l Description: Any text that helps identify the form in a list of forms (an
administrator can view this text in addition to the form name when selecting a form
to link with a command).
TIP: Form names must not be unique. If two or more forms have the same Name,
use the Description text to clearly differentiate them.
l Object type: If the form is intended for creating objects, this property identifies the
type of object that can be created by using the Web Interface page based on this
form. The object type is set when the form is created, and cannot be modified.
l Form type: This property is set on a form when the form is created, and cannot be
modified. The form type can be one of the following:
l Edit Properties: The Web Interface page that is based on this form displays
properties of existing objects and provides the ability to make changes to
object properties. Each tab on the form represents the respective tab on the
Web Interface page.
l New Object: The Web Interface page that is based on this form serves for
creating objects in the directory. The page provides for one or more steps to
collect user input, with each step being represented by a single tab on the
Active Roles 8.1.3 Web Interface Configuration Guide
59
Customizing the Web Interface
form. Thus, with two tabs on the form, the Web Interface page displays the
entries found on the first tab, allowing the user to enter data as required. When
the user clicks Next, the page displays the entries from the second tab.
l Rename: This type is basically the same as Edit Properties. However, if a
form includes entries for managing so-called “naming” attributes, such as the
“name” attribute, set the form type to Rename instead of Edit Properties.
l Show policy descriptions: This option specifies if the Web Interface page that is
based on this form provides visual indication of Active Roles policies. For example,
the “User logon name” attribute is normally controlled by a certain policy. When this
option is selected, the Web Interface displays an icon next to the name of the “User
logon name” field. Clicking the icon allows the user to view the policy rules that are in
effect. If the option is not selected, all such icons are removed from the page, so the
user cannot view policy rules.
Adding a tab to a Web Interface form
You can add new tabs to Web Interface forms with the Form Editor, available in the
Customization menu.
To add a tab to a form
1. Open the form in the Form Editor.
2. On the toolbar in the Form Editor, click New Tab.
3. Specify a name for the new tab.
The name of a tab is the text that labels the tab or step on the respective Web
Interface page.
4. Click Finish; then, click Reload to publish your changes.
Deleting tabs from a Web Interface form
You can delete existing tabs from Web Interface forms with the Form Editor, available in
the Customization menu.
To delete tabs from a Web Interface form
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. Select the check boxes next to the tabs you want to delete.
3. On the toolbar in the Form Editor, click Delete.
4. Once the tabs are deleted, click Reload to publish your changes.
Active Roles 8.1.3 Web Interface Configuration Guide
60
Customizing the Web Interface
Viewing or modifying the properties of a
Web Interface tab
You can view or modify the properties of a Web Interface tab with the Form Editor,
available in the Customization menu.
To view or modify the properties of a Web Interface tab on a form
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. Click the Edit icon next to the name of the tab.
3. (Optional) If needed, modify the properties of the tab, click Save, then click Reload.
NOTE: You can also modify the name of the tab with this procedure.
Configuring the visibility options of a Web
Interface tab
A tab on a Web Interface page can be either visible or hidden. If a tab is visible, the Web
Interface user can click the tab to access the user interface elements (entries) located on
that tab. If a tab is hidden, it is inaccessible to the Web Interface user.
Normally, if a Web Interface user has sufficient rights to view the page that holds a given
tab, the tab is visible to that user. However, certain scenarios may require a particular tab
to be hidden or displayed on a page depending on the properties of the object selected by
the user to access that page. For example, you may need to hide the Membership
Approval tab on the group’s General Properties page when the user selects a group
whose properties meet certain conditions. Another requirement could be to hide or display
a tab depending on whether the user is authorized to make certain changes to the selected
object. For example, it may be required that the Membership Approval tab be hidden if
the user does not have sufficient rights to change the members list of the group.
To address these requirements, the Web Interface provides a number of options that
control the visibility of a tab to the user. The visibility options on a tab take the form of
conditions that are evaluated when a particular user selects a particular object in the Web
Interface to access a page containing that tab. The tab is displayed if each of the conditions
evaluates to True.
By setting up the appropriate conditions on a tab, the administrator can control the
visibility of the tab in the following ways:
l Show the tab if the properties of the selected object meet certain requirements (for
example, the description of the object is set to the text string specified); otherwise,
hide the tab. The conditions that control the tab visibility in this way are referred to as
property-related conditions.
Active Roles 8.1.3 Web Interface Configuration Guide
61
Customizing the Web Interface
l Show the tab if the user is authorized to modify certain properties of the selected
object (for example, the user is authorized to change the description of the object);
otherwise, hide the tab. The conditions that control the tab visibility in this way are
referred to as access-related conditions.
It is possible to set up only property-related conditions, only access-related conditions, or
both. The tab is displayed if all the specified conditions evaluate to True. If at least one of
the specified conditions is not met, the tab is hidden.
To configure the visibility options of a Web Interface tab
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. In the Form Editor, click the Edit icon next to the name of the tab you want
to configure.
3. Click Visibility on the page for managing the properties of the tab.
4. Select the option to set up visibility conditions.
5. To set up property-related conditions, click Configure.
6. Add or remove a visibility condition as follows:
l To add a condition, select a property, type in a value, and click Add
Requirement.
l To remove a condition, select it from the list and click Remove.
l When finished, click OK.
When you select a property and supply a value, either a new condition is added to the
list or the supplied value is added to the existing condition that is based on the
selected property. The latter occurs if the property is already in the list of the
property-related conditions. This allows you to configure a condition that evaluates to
True if the property has any one of the values specified. If only one value is supplied
for a particular condition, then the condition evaluates to True if the property has
exactly the value specified.
7. Add or remove access-related conditions as follows:
l If you want to add a condition, click Add, select a certain property, and
click OK.
l If you want to remove a condition, select it from the list and click Remove.
When you select a property and click OK, a new condition is added that evaluates to
True if the user has sufficient rights in Active Roles to make changes to that property
of the object selected by the user in the Web Interface.
8. Click Save.
9. Click Reload to publish your changes.
Active Roles 8.1.3 Web Interface Configuration Guide
62
Customizing the Web Interface
Adding an entry to a Web Interface form
You can add new or existing entries to a Web Interface form with the Form Editor, available
in the Customization menu.
To create a new entry and add it to a form
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. Click the tab to which you want to add the entry.
3. On the toolbar in the Form Editor, point to Add Entry and click Create.
4. In the Property list, click the attribute for which to add the entry, then click Next.
5. Specify a name for the new entry, then click Finish.
6. Click Reload to publish your changes.
NOTE: The name of an entry is the text that labels the control or group of controls on the
respective Web Interface page. For example, if an entry appears as a check box on the
page, the name of the entry is displayed next to the check box. If an entry appears as an
edit box, the name of the entry is directly above the edit box.
A form can hold only one entry per attribute.
To add existing entries to a form
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. Click the tab to which you want to add the entry.
3. On the toolbar in the Form Editor, point to Add Entry and click Select.
4. In the list of entries, select check boxes next to the names of the entries to add.
5. Click Finish. Then, click Reload to publish your changes.
You may need to scroll down the list of entries in order to access the Finish button.
The list for selecting an entry contains the following information about each entry:
l Entry name: The name of the entry.
l Managed property: The attribute or attributes that are managed by using this
entry. The attributes are identified by LDAP display name.
l Forms that use this entry: The entry is added to each of the listed forms. The
forms are identified by name. Clicking the name of a form opens the form in the
Form Editor.
l Entry type: This can be one of the following:
l Auto: An entry that was created by using the Form Editor.
l Custom: A predefined entry that came with the Web Interface, or an entry that
was created by using tools other than the Form Editor (for example, by
Active Roles 8.1.3 Web Interface Configuration Guide
63
Customizing the Web Interface
implementing and deploying custom code).
l Naming: An entry for managing a naming attribute, such as the name attribute.
Setting a naming attribute requires some additional steps, which are not
necessary with other attributes. The entries of this type are normally
predefined and installed with the Web Interface.
When selecting an existing entry, consider the type of the entry. Entries of different type
can have the same name and the same managed property. Since the behavior of an
entry depends upon the type of the entry, selecting an entry of inappropriate type can
cause incorrect results. Thus, selecting an Auto entry instead of a Custom entry will
normally result in the loss of the features that the Custom entry provides in addition to,
or instead of, the default features of the Auto entry. For more information, see Type of
Web Interface entries.
Adding static text to a Web Interface form
The Form Editor provides a special type of entry: the "text area", allowing you to add static
text to a form. You can use text areas to have the form display descriptive text, such as
titles, captions, or brief instructions. In the Web Interface, a text area entry only displays
the text specified in the configuration of the entry. To change the text, you need to edit the
entry from the Form Editor.
To add static text to a Web Interface form
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. Click the tab to which you want to add static text.
3. On the toolbar in the Form Editor, point to Add Entry and click Text area.
4. In the Text to display box, supply the text you want to be displayed on the tab.
5. Click Finish. Then, click Reload to publish your changes.
These steps add an entry named Text area in the Form Editor. You can select the check
box next to the Text area name and use the Move Up and Move Down buttons on the
toolbar to change the position of the text area. To change the text displayed by the text
area, click the Edit icon next to the Text area name. When you are done, click Save, then
click Reload to publish your changes.
Deleting entries from a Web Interface form
You can delete entries from a Web Interface form with the Form Editor of the
Customization menu.
Active Roles 8.1.3 Web Interface Configuration Guide
64
Customizing the Web Interface
To delete entries from a Web Interface form
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. Click the tab from which you want to delete entries.
3. In the list of entries, select check boxes to mark the entries you want to delete.
4. On the toolbar in the Form Editor, click Delete.
5. Once the entries are deleted from the form, click Reload to publish your changes.
Viewing or modifying a Web Interface entry
You can view or modify Web Interface entries with the Form Editor of the
Customization menu.
To view or modify entries in a Web Interface form
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. Click the tab in which you want to manage entries.
3. Click the Edit icon next to the name of the entry you want to manage.
4. Modify the entry properties as you need. For more information on these entries, see
Type of Web Interface entries and Entry for an attribute of DN syntax):
l Entry name: Text that labels the entry on the Web Interface page. For a check
box, the name of the entry appears next to the check box. For an edit box, the
name is displayed above the edit box.
l Entry description: Any text that helps identify the entry.
l Entry ToolTip: The text that is displayed when the mouse pointer is
positioned over the entry on the Web Interface page.
l Entry type: The type of the entry. For details, see Type of Web Interface
entries. This setting is defined when the entry is created, and cannot be
changed.
l Property: The list of attributes that are managed by this entry (managed
attributes). Each attribute is identified by its LDAP display name. This setting is
defined when the entry is created, and cannot be changed.
l Treat as single-valued: This option applies to entries for multi-valued
attributes. When selected, causes the entry to behave as if the managed
attribute can store only one value.
l Read only: When selected, prevents the user from changing the data
displayed by the entry on the Web Interface page.
Active Roles 8.1.3 Web Interface Configuration Guide
65
Customizing the Web Interface
l Syntax: Indicates the syntax of the attribute that is managed by this entry.
The name of the syntax is retrieved from the directory schema and displayed
for information purpose only.
l Multivalued: Indicates whether the managed attribute is multi-valued. This
information is retrieved from the directory schema and displayed for
information purpose only.
l Render as multiline: Applies to entries for managing string values. Specifies
whether the entry can display multiple strings or only a single string.
l Label next to entry: Specifies whether to display the entry name next to or
above the entry on the form. When this check box selected, the name appears
to the left of the entry. When this check box is cleared, the name appears
above the entry.
l Text to display: Applies to the text area entry type. Specifies the text to be
displayed in the text area.
NOTE: Any changes you make to an entry will be applied to every form
containing the entry.
5. To apply your changes, click Save, then Reload.
Type of Web Interface entries
The Web Interface provides for these types of entry:
l Auto: Default entries. This type is assigned to the entries created using the
Form Editor.
l Custom: Predefined entries that come with the Web Interface and use custom
processing logic, or entries added by implementing and deploying custom code.
l Naming: Entries for managing so-called naming attributes, such as the name
attribute. Setting a naming attribute requires some additional steps, as compared
with other attributes. The entries of this type are normally predefined and installed
with the Web Interface.
l StaticText: Entries for adding static text, also referred to as text areas. You can use
text areas to display descriptive text, such as titles, captions, or brief instructions.
For each entry, certain logic is implemented that governs how to process the values of the
managed attribute. When retrieving an attribute from the directory, the entry uses that
logic to represent the attribute value in the appropriate format. When applying changes to
an attribute value, the entry relies on that logic to transform the changes, if necessary, to
meet the requirements imposed by the directory.
When you create an entry using the Form Editor, default processing logic is applied based
on the syntax of the managed attribute according to the directory schema. Such default
entries are referred to as Auto entries in the Web Interface.
For each of the syntaxes that are defined in Active Directory, certain default logic is defined
in the Web Interface and applied to every Auto entry for managing any attribute of the
Active Roles 8.1.3 Web Interface Configuration Guide
66
Customizing the Web Interface
respective syntax. Thus, an auto entry for an attribute of Boolean syntax takes the form of
a check box. An auto entry for an attribute of String (Unicode) syntax is merely an edit box.
Default processing logic may not be suitable for all attributes. A typical example is
userAccountControl.
In Active Directory, the userAccountControl attribute values are stored as integers, so the
Auto entry for that attribute takes the form of an edit box that displays the integer value
retrieved from the directory. This representation of attribute values is not helpful because a
value of the userAccountControl attribute is, in fact, a 4-byte (32-bit) data structure that
contains flags for configuring some user account settings, such as the flag that controls
whether a user account is enabled or disabled.
A value of userAccountControl is a type of integer wherein each bit in the numeric value
represents a unique setting. This type of integer is called a bit field. Because each bit in a
bit field represents a different setting, simply examining the integer value as a whole
number is of little use. You must examine the individual bit that corresponds to the setting
you are interested in viewing or changing.
To help identify which bit to check in the userAccountControl value, the Web Interface
provides a predefined entry that uses custom logic to represent each bit as a separate
check box. The entries like this one, which use processing logic differing from default
processing logic, are called Custom entries in the Web Interface (as opposed to the Auto
entries that rely on default processing logic).
In the Web Interface, a lot of predefined custom entries are available out of the box. Each
of the predefined custom entries, like the custom entry for the userAccountControl
attribute, is designed to manage a single attribute or a group of related attributes in accord
with the intended meaning of the attribute or attributes rather than only based on the
syntax of attribute values. If necessary, new custom entries can be added that use any
suitable processing logic. For more information and instructions, see the Active Roles SDK.
Entry for an attribute of DN syntax
The auto entries for attributes of Object (DS-DN) syntax have certain features that are
specific to only this category of entries. In this topic, for the sake of brevity, such entries
are referred to as DN entries.
Values of an attribute of Object (DS-DN) syntax are strings, each specifying the
distinguished name (DN) of a certain directory object. For attributes with this syntax,
Active Directory handles attribute values as references to the object identified by the DN
and automatically updates the value if the object is moved or renamed. Examples of such
attributes are “member”, “managedBy” and “manager”.
A DN entry retrieves DN values from the attribute, looks up for the objects that are
identified by the DN values, and displays a list of those objects. By default, the list contains
the following information about each object:
l Name: The value of the name attribute.
l Description: The value of the description attribute.
l Object type: The value of the objectClass attribute.
Active Roles 8.1.3 Web Interface Configuration Guide
67
Customizing the Web Interface
You can configure the list to display values of other attributes: open the Properties page
for the entry (see Viewing or modifying a Web Interface entry), and click the Advanced
tab. Then, modify the list of names in the Columns box as required. You can type LDAP
display names of attributes in the Columns box, separating them by commas, or you can
click the button next to the Columns box and select attributes. The list provided by the
entry will include one column per each attribute you specify, with each column showing the
values of the respective attribute.
A DN entry provides the ability to make changes to the managed attribute, that is, to add or
remove DN values from the attribute. For this purpose, a DN entry supplements the list of
objects with the Add and Remove controls. The Remove control deletes list entries,
consequently removing the respective DN values from the managed attribute. The Add
control uses the Select Object dialog box for selecting objects. The entries representing
the selected objects are then added to the list, with the DN of each object being eventually
appended to the values in the managed attribute.
It is possible to customize the Select Object dialog box that is used by the Add control in a
DN entry. For this purpose, a DN entry provides a number of options. These options can be
found on the Advanced tab of the Properties page for a DN entry (for instructions on how
to access the Properties page, see Viewing or modifying a Web Interface entry):
l Populate list view when the dialog box opens: When turned off, this option
prevents a delay in opening the Select Object dialog box. Since populating the list
view in the dialog box implies running a query against the directory service (which
may be a lengthy operation), the ability to open the dialog box without initially
populating the list view increases responsiveness of the user interface. The user can
type and check object names in the dialog box instead of selecting objects from the
list. Alternatively, the user can manually start populating the list view by clicking a
link in the Select Object dialog box.
l Display the “Find in” field: When turned on, this option enables the users to view
the Find in setting. With this option turned off, the Find in setting is not displayed in
the Select Object dialog box.
l Allow user to change the “Find in” setting: This option prevents the default
Find in setting from being modified by the user. With this option turned off, the Find
in setting cannot be changed in the Select Object dialog box.
l Display the “Object name” field: When turned on, this option enables the user to
type the names of objects to select instead of clicking objects in the list view in the
Select Object dialog box. With this option turned off, the user is forced to make a
selection from the list.
l “Find in” default setting: You can specify a certain container as the default
location of the objects for selecting. Click the button next to this option in order to
select a container, or type in the distinguished name of a container. The Select
Object dialog box will open with that container substituted in the Find in field.
l LDAP search filter: When populating the list view, the Select Object dialog box
applies this setting to the Find in container in order to retrieve the objects that
match the filter specified. The list view then displays the objects returned by the
query based on this search filter. You should set up a filter string in accordance with
LDAP syntax rules.
Active Roles 8.1.3 Web Interface Configuration Guide
68
Customizing the Web Interface
l Scope of query: When populating the list view, the Select Object dialog box uses
this setting to qualify the query. Select one of the following:
l Base search: The search filter is applied to the Find in object only. When
attribute scope query (ASQ) is used, the search filter is applied to the objects
listed in a certain attribute of the Find in object.
l One-level search: The search filter is applied to the immediate children of the
Find in object. The list view is populated with the immediate child objects that
match the search filter.
l Subtree search: The search filter is applied to the Find in object as well as to
all objects that exist below it in the directory tree. The list view is populated
with all the objects that match the search filter.
l Use attribute scope query (ASQ): When turned on, this option causes the Select
Object dialog box to populate the list view with objects that are listed in a certain
attribute of the Find in object (target attribute). The LDAP display name of the target
attribute must be supplied in the Attribute to search by using ASQ field.
The target attribute must be an attribute that stores distinguished names, such as
“member” or “managedBy”. The search is performed against the objects that are
identified by the distinguished names found in the target attribute. For example, if
the Find in object is a group and “member” is specified as the target attribute,
then the search will be performed against all objects that are members of the group
and the list view will be populated with the members of the group that match the
search filter.
Configuring Web Interface commands
"Commands" in a Web Interface menu perform a specific task, such as displaying property
pages for a directory object, searching for objects that meet certain conditions or assigning
a certain value to a certain attribute of a directory object. You can select a command, and
customize its action or associated pages.
To select a Web Interface command for customization
1. On the Web Interface home page, click Customization, then click
Customization Tasks.
Alternatively, on the Navigation bar, expand Customization, then click
Directory Objects.
2. In the list of menus on the List Existing Menus page, click the name of the menu
that includes the command you want to select.
3. In the list of commands, click the name of the command.
Active Roles 8.1.3 Web Interface Configuration Guide
69
Customizing the Web Interface
Viewing or modifying the properties of a Web
Interface command
Active Roles administrators can modify the properties of Web Interface commands. The
properties of a command depend on the command type (Form Task, Page View Task,
Search Task, or Set Attribute Task).
All commands have common properties, such as the name and description of the
command. In addition, each command has a number of properties determined by the
command type. As such:
l The Page View Task-specific properties identify the page to display.
l The Search Task-specific properties determine search criteria and configuration of
the list of search results.
l The Set Attribute Task-specific properties specify the attributes to set and the value
to assign to a specific command.
For more information on these command types, see Properties of a Web Interface
command.
To view or modify the properties of a Web Interface command
1. On the Web Interface home page, click Customization, then click
Customization Tasks.
2. In the list of menus on the List Existing Menus page, click the name of the menu
that includes the desired command.
3. In the list of commands found on the menu, click the name of the desired command.
4. Modify the properties of the command, if needed, and click Save.
5. Click Reload to publish your changes.
Creating or selecting a Web Interface form for
a command
Form Task commands are always associated with a form, and are used to open that form.
When configuring a Form Task command, you can either create a new form for it, or
associate an existing form.
To create a new Web Interface form and associate it with a command
1. On the Web Interface home page, click Customization, then click
Customization Tasks.
2. Select a command of the Form Task type.
3. In the right pane, click Link with New Form.
Active Roles 8.1.3 Web Interface Configuration Guide
70
Customizing the Web Interface
4. Select the type of the form to create:
l Edit Properties: Creates a form used to view or modify object properties.
l New Object: Creates a form used to create new objects.
l Rename: Creates a form used to rename objects.
5. Click Next.
6. Specify the general properties of the form, such as the name and description.
7. If you have selected New Object as the type of the form, select the type of objects
you want to create by using the form.
8. Click Finish.
9. Click Reload to publish your changes.
You can also associate a command with a form that already exists in the configuration of
the Web Interface site.
To associate a command with an existing Web Interface form
1. On the Web Interface home page, click Customization, then click
Customization Tasks.
2. Select a command of the Form Task type.
3. In the right pane, click Link with Existing Form.
4. In the list of existing forms, click the form you want to link with the command.
NOTE: The list of existing forms includes only the forms that are applicable to the
object type the command is intended for. For example, when you select a
command from the menu for the User object type, the list only includes the forms
that are applicable to User objects.
TIP: Consider the following when assigning a form to a command:
l Instead of linking a different form to a command, you can modify the form
that is already associated with the command.
l If necessary, you can configure a command so as to have no form associated
with it: in the list on the Link with Existing Form page, click <no
assigned form>, then click Save.
5. To publish your changes, click Save, then Reload.
Properties of a Web Interface command
Every command has a number of properties that determine behavior of the command. The
command properties vary depending upon the command type:
l Form Task: This command type is intended to display forms. When you click a
command of this type, the Web Interface opens the form that is associated with that
command. Then, depending on the type of the form, you can view or change the data
Active Roles 8.1.3 Web Interface Configuration Guide
71
Customizing the Web Interface
shown on the form for an existing object or enter data on the form for creating a new
object. The identifier of the form is part of the command properties (see Form Task
properties).
l Search Task: This command type is intended to search for objects in the directory
and display search results. When you click a command of this type, the Web Interface
performs a search based on the conditions specified in the command’s properties
(see Search Task properties), and displays a list of search results. Then, you can click
an object in the list to open the pages for managing that object.
l Page View Task: Commands of this type are intended to display custom pages.
When you click a Page View Task command, the Web Interface opens the page
identified by the address (URL) that is part of the command properties (see Page
View Task properties). For instructions on how to create custom pages, see Active
Roles SDK documentation.
l Set Attribute Task: A command of this type is intended to assign a certain value to
a certain attribute of a directory object. The properties of the command specify the
attribute and the value to assign to that attribute (see Set Attribute Task properties).
The command can be configured to display a confirmation message prior to changing
the attribute.
All commands have common properties, such as the name and description. In addition,
each command has a number of properties determined by the command type.
Common Web Interface command properties
A command of any type has the following properties:
l Name: The text that labels the command on the menu. This text is what Web
Interface users view in the Command pane.
l Description: Any text to help identify the command in a list of commands. An
administrator can view this text in addition to the command name when selecting a
command to add, remove, or modify.
l ToolTip: The text that is displayed when the mouse pointer is positioned over the
command in the Command pane.
l Command Type: The type of the command is specified when the command is
created, and cannot be changed.
Form Task properties
A command of the Form Task type has the Form name property in addition to the common
properties. This property identifies the form that the command is intended to open. When a
Form Task command is initially created, it is not associated with any form, so the Form
name property is not set. When you associate the command with a certain form, the Form
name property is set to the name of the form.
Active Roles 8.1.3 Web Interface Configuration Guide
72
Customizing the Web Interface
Search Task properties
A command of the Search Task type has a number of properties in addition to the common
properties. You can specify search conditions (LDAP search filter), define where to search
for directory objects (scope of the search), and choose the object properties to be displayed
in the list of search results.
Base DN
The Base DN property specifies the distinguished name of the container where to begin
the search. The search is performed only on this container and objects that exist below it in
the directory tree. This property can be set to one of the following:
l Currently selected object: When the user clicks the command on the menu for a
given object, the Web Interface uses the distinguished name of that object as the
Based DN property. For example, suppose the command is on the menu for the
organizational unit object type. When the user selects an organizational unit and
clicks the command, the Web Interface searches the selected organizational unit.
l This DN: The command causes the Web Interface to search the object that has the
specified distinguished name, regardless of what object is actually selected. For
example, suppose the command is on the menu for the user object type, and the
Base DN property is explicitly set to the distinguished name of a certain
organizational unit. In this case, when a user account is selected in the Web
Interface, the command appears on the menu and clicking the command begins the
search in that Organizational Unit.
Search filters
The Search filters property specifies a search filter string in LDAP format. This part of the
LDAP search syntax makes it possible to search for specific objects based on object
attributes. Set up a filter string in accordance with LDAP syntax rules. The default filter
string is “(objectClass=*)”, which retrieves all objects. Another example is
“(objectClass=user)”, which causes the search to retrieve only user accounts.
NOTE: When configuring a filter string, follow these guidelines:
l The string must be enclosed in parentheses.
l Expressions can use the relational operators: <, <=, =, >, and >. An example is
“(objectClass=user)” or “(givenName=Adam)”.
l Compound expressions are formed with the prefix operators & and |. An example is
(&(objectClass=user)(givenName=Adam)).
For more information about the filter string format, see the Search filter syntax in the
Windows App Development documentation.
Displayed attributes
The Displayed attributes property specifies a list of the attributes to retrieve during the
search. These are the attributes that will be displayed in the list of search results. Each
Active Roles 8.1.3 Web Interface Configuration Guide
73
Customizing the Web Interface
attribute is identified by its LDAP display name. Type the names of the attributes you want
to retrieve, or select attributes from a list. Separate attribute names by commas.
The default setting for this property is “name,objectClass,description”, which displays a
three-column list of search results. For every object returned by the search, the Web
Interface lists the name, type, and description of the object.
Search scope
The Search scope property specifies the depth of the search. The options for this
property are:
l Base: This option limits the search to the object specified by the Base DN property
(base object). The search returns either one object or no objects, depending upon
the search filter.
l One-level: This option restricts the search to the immediate children of the base
object, but excludes the base object itself. The search returns the immediate child
objects that match the search filter.
l Subtree: With this option, the search filter is applied to the base object as well as to
all objects that exists below it in the directory tree. The search returns all child
objects that match the search filter. If the base object matches the filter, the base
object is also included in the search results.
l Attribute scope query by this attribute: With this option, the command searches
in a certain attribute of the base object (target attribute). The target attribute is
identified by the LDAP display name specified as part of this option, and must be an
attribute that stores distinguished names, such as the “member” or “managedBy”
attribute. The search is performed against the objects that are identified by the
distinguished names found in the target attribute. For example, if the base object is a
group and the “member” attribute is specified as the target, then the search will be
performed against all objects that are members of the group, and will return the
members of the group that match the search filter.
Sort by
The Sort by property specifies the attribute based on which the list of search results should
be sorted, to group similar attribute values together in an easy-to-read list. Type the LDAP
display name of any attribute that is listed in the Displayed attributes property.
Page View Task properties
A command of the Page View Task type has the URL property in addition to the common
properties. This property identifies the address of the resource, such as a Web page, that
the command is intended to open. When the user clicks the command, the Web Interface
navigates to the address specified by the URL property.
For more information and instructions on how to implement and use commands of this
type, see Developing Custom Web Pages in the Active Roles SDK documentation.
Active Roles 8.1.3 Web Interface Configuration Guide
74
Customizing the Web Interface
Set Attribute Task properties
A command of the Set Attribute Task type has the following properties in addition to the
common properties:
l Attribute to set: The LDAP Display Name of a certain attribute. The command
assigns a value to that attribute. You can select the desired attribute from a list.
l Value to assign: The command assigns this value to the attribute, or clears the
attribute if no value specified. For a Boolean attribute, the value can be either
True or False.
l Enable confirmation message: When this option is selected, clicking the
command displays a certain message to obtain the user's consent.
l Confirmation message: Specifies the message to display when the user clicks the
command. The user has the option to confirm or cancel the command.
Command visibility options
A command on an object in the Web Interface, such as Delete or Rename, can be
either visible or hidden. If a command is visible, the user can click the command and
have the Web Interface process the command accordingly. If a command is hidden, it is
effectively disabled.
Normally, the Web Interface displays or hides a command depending on whether or not the
user has sufficient rights to perform the respective operation on the object that the user
has selected (for example, delete or rename the object). However, certain scenarios may
require that a particular command be hidden or displayed depending on the properties of
the selected object. Another requirement could be to hide or display a command depending
on whether or not the user is authorized to make certain changes to the selected object.
To address these requirements, the Web Interface provides a number of options that
control the visibility of a command to the user. The visibility options on a command take the
form of conditions that are evaluated when a particular user selects a particular object in
the Web Interface. Assuming the command is applicable to the type of the selected object,
the command is displayed if each of the conditions evaluates to True.
By setting up the appropriate conditions on a command, the administrator can control the
visibility of the command in the following ways:
l Show the command if the properties of the selected object meet certain requirements
(for example, the description of the object is set to the text string specified);
otherwise, hide the command. The conditions that control the command visibility in
this way are referred to as property-related conditions.
l Show the command if the user is authorized to modify certain properties of the
selected object (for example, the user is authorized to change the description of the
object); otherwise, hide the command. The conditions that control the command
visibility in this way are referred to as access-related conditions.
Active Roles 8.1.3 Web Interface Configuration Guide
75
Customizing the Web Interface
It is possible to set up only property-related conditions, only access-related conditions, or
both. The command is displayed if all the specified conditions evaluate to True. If at least
one of the specified conditions is not met, the command is hidden.
To configure visibility options on a Web Interface command
1. In the Active Roles Web Interface, click Customization.
2. In the Customization section of the Web Interface, select the command that you
want to configure.
3. Click the Visibility tab on the page for managing the properties of the command.
4. Select the option to set up visibility conditions.
5. To set up property-related conditions, click Configure.
6. Add or remove a visibility condition as follows:
l To add a condition, select a property, type in a value, and click Add
Requirement.
l To remove a condition, select it from the list and click Remove.
When finished, click OK.
When you select a property and supply a value, either a new condition is added to the
list or the supplied value is added to the existing condition that is based on the
selected property. The latter occurs if the property is already in the list of the
property-related conditions. This allows you to configure a condition that evaluates to
True if the property has any one of the values specified. If only one value is supplied
for a particular condition, then the condition evaluates to True if the property has
exactly the value specified.
7. To add or remove access-related conditions, do the following:
l If you want to add a condition, click Add, select a certain property, and
click OK.
l If you want to remove a condition, select it from the list and click Remove.
When you select a property and click OK, a new condition is added that evaluates to
True if the user has sufficient rights in Active Roles to make changes to that property
of the object selected by the user in the Web Interface.
8. Click Save. Then, click Reload to publish your changes.
Web Interface customization examples
This section provides the following example Web Interface customization scenarios:
l Deleting a command from a Web Interface menu
l Adding an entry to a Web Interface form
Active Roles 8.1.3 Web Interface Configuration Guide
76
Customizing the Web Interface
Deleting a command from a Web Interface
menu
By default, the Container menu includes the New Shared Folder command. This
example procedure shows how to remove the New Shared Folder command from the
Container menu.
To delete the New Shared Folder command from the Container menu
1. Open your web browser and connect to the Web Interface Administration Site.
2. On the Navigation bar, expand Customization, then click Directory Objects.
3. In the Menu for column, click Container.
4. In the list of commands, select the check box next to the New Shared
Folder command.
5. On the toolbar, click Delete. Then, click OK to confirm the deletion.
6. Click Reload to publish your changes.
Adding an entry to a Web Interface form
You can add new or existing entries to a Web Interface form with the Form Editor, available
in the Customization menu.
To create a new entry and add it to a form
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. Click the tab to which you want to add the entry.
3. On the toolbar in the Form Editor, point to Add Entry and click Create.
4. In the Property list, click the attribute for which to add the entry, then click Next.
5. Specify a name for the new entry, then click Finish.
6. Click Reload to publish your changes.
NOTE: The name of an entry is the text that labels the control or group of controls on the
respective Web Interface page. For example, if an entry appears as a check box on the
page, the name of the entry is displayed next to the check box. If an entry appears as an
edit box, the name of the entry is directly above the edit box.
A form can hold only one entry per attribute.
Active Roles 8.1.3 Web Interface Configuration Guide
77
Customizing the Web Interface
To add existing entries to a form
1. Open the form in the Form Editor. To do so, navigate to the Web Interface page that
you want to configure, then click Customize.
2. Click the tab to which you want to add the entry.
3. On the toolbar in the Form Editor, point to Add Entry and click Select.
4. In the list of entries, select check boxes next to the names of the entries to add.
5. Click Finish. Then, click Reload to publish your changes.
You may need to scroll down the list of entries in order to access the Finish button.
The list for selecting an entry contains the following information about each entry:
l Entry name: The name of the entry.
l Managed property: The attribute or attributes that are managed by using this
entry. The attributes are identified by LDAP display name.
l Forms that use this entry: The entry is added to each of the listed forms. The
forms are identified by name. Clicking the name of a form opens the form in the
Form Editor.
l Entry type: This can be one of the following:
l Auto: An entry that was created by using the Form Editor.
l Custom: A predefined entry that came with the Web Interface, or an entry that
was created by using tools other than the Form Editor (for example, by
implementing and deploying custom code).
l Naming: An entry for managing a naming attribute, such as the name attribute.
Setting a naming attribute requires some additional steps, which are not
necessary with other attributes. The entries of this type are normally
predefined and installed with the Web Interface.
When selecting an existing entry, consider the type of the entry. Entries of different type
can have the same name and the same managed property. Since the behavior of an
entry depends upon the type of the entry, selecting an entry of inappropriate type can
cause incorrect results. Thus, selecting an Auto entry instead of a Custom entry will
normally result in the loss of the features that the Custom entry provides in addition to,
or instead of, the default features of the Auto entry. For more information, see Type of
Web Interface entries.
Web Interface global settings
Customization of the Web Interface includes the global settings that control the display of
the Web Interface pages for all users. There are several areas of the Web Interface site
where global settings are used by default. Some of these settings can be overridden by
Web Interface users, whereas the others can only be viewed or changed by administrators.
The following settings are applied for all Web Interface users and can only be changed by
Active Roles administrators:
Active Roles 8.1.3 Web Interface Configuration Guide
78
Customizing the Web Interface
l Logo image: Use this option to replace the default logo image with a custom logo
image on the Web Interface pages (see Customizing the Web Interface logo image).
l Web Interface site icon: Use this option to change the site icon, also known as
favicon, that identifies the Web Interface site in the Web browser’s address bar (see
Customizing the Web Interface site icon).
l Logged-on user name format: View or change the property used for the
presentation of the Web Interface user (see Customizing the user name to show on
the Web Interface).
l Hide path to object: Select this check box to prevent the path to the current
container ts from being displayed on the Web Interface pages.
This option may be helpful in environments where Managed Units rather than
Organizational Units are used to delegate administrative tasks.
l Color scheme: Use the options in this area to customize the appearance of the Web
Interface pages by configuring a custom color scheme. You can choose from the
following options:
l Default: Applies the color scheme that is included with the Web Interface out
of the box.
l Custom: Allows you to select the base color for your custom color scheme and
specify the amount of color you want on the Web Interface pages.
If the administrator changes any of the above settings, the new settings affect any user
who connects to the Web Interface site after the changes are applied.
The following settings are applied for all Web Interface users by default, and can be
overridden on a per-user basis (a Web Interface user can choose different settings without
affecting the other users):
l User interface language: Specifies the language of the Web Interface. This
setting affects all menus, commands, and forms of the Web Interface, as well as
tooltips and help text.
NOTE: By default, the Web Interface contains only English localization. Installing
the Active Roles Language Pack adds support for the following languages:
l Chinese (Simplified and Traditional)
l French
l German
l Portuguese (Brazilian and European)
l Spanish
For more information, see Active Roles Language Pack in the Active Roles
Administration Guide.
l Maximum number of objects to display in search results: Specifies the
maximum number of objects to display in single-page lists, such as lists of search
results or lists that show contents of containers. The supported value range is 1–
20000, and the default value is 1000.
Active Roles 8.1.3 Web Interface Configuration Guide
79
Customizing the Web Interface
TIP: Use this setting carefully, as displaying a large number of objects may
negatively impact browser performance. Instead of displaying all objects, One
Identity recommends using the available search and filtering options to find the
objects you need.
l Number of items to display per page in paged lists: Specifies the maximum
number of list items displayed on a single page in multi-page lists. This setting affects
only lists (such as approval task lists) that are divided into pages. The supported
value range is 1–10000, and the default value is 20.
TIP: Use this setting carefully, as specifying a small value may result in many pages
to list through, while specifying a large value can negatively impact browser
performance.
l Number of page links to display for paged lists: Specifies the maximum
number of page number links displayed for multi-page lists. This setting affects only
lists (such as approval task lists) that are divided into pages. The supported value
range is 1–1000, and the default value is 5.
l Time (in minutes) for which the notification is visible: Specifies the number of
minutes for which Web Interface notifications will be visible on the user interface. The
supported value range is 0–43200, and the default value is 0. Keeping the default
value of 0 results in notifications never disappearing.
l Maximum number of notifications to be stored in Active Roles: Specifies the
maximum number of notifications to be stored in the Active Roles database. The
supported value range is 5–1000, and the default value is 1000.
l Enable user feedback link: Select to make the Feedback button available on the
upper right corner. Clicking Feedback allows Web Interface users to provide
product feedback.
l Enable Starling promotion: Select to enable Starling-related notifications.
TIP: If your Active Roles deployment is connected to One Identity Starling, One
Identity recommends enabling Starling promotion.
l Enable Quick Search in AD LDS: Select to enable quick search for AD LDS objects.
This setting is enabled by default: disabling it will result in AD LDS objects not
appearing in quick search results.
l Enable Quick Search in Azure: Select to enable quick search for Azure objects.
This setting is enabled by default: disabling it will result in Azure objects not
appearing in quick search results.
If the administrator changes any of the above settings, the new settings normally affect the
users who connect to the Web Interface site for the first time. The changes to the global
settings of this category do not affect the Web Interface users whose user profiles already
contain user-specific, personal settings of the same category. For example, if a user has
already selected the preferred language, changing the user interface language in Global
Settings has no effect on that user.
Active Roles 8.1.3 Web Interface Configuration Guide
80
Customizing the Web Interface
To view or modify the global Web Interface settings
1. Log in as an Active Roles Admin to a machine, then connect to the Web Interface site
you want to customize.
2. On the Navigation bar (on the left side of the Web Interface page), click
Customization.
3. On the Customization page, click Global Settings.
4. Use the Global Settings page to view or modify the settings.
5. When finished, click Save.
6. Click Reload for your changes to take effect for all users of the Web Interface site
you are customizing.
Customizing the Web Interface logo image
The Web Interface allows the administrator to customize the branding for the Web
Interface sites by changing parts of the logo image that appears at the top of the Web
Interface screen. The default parts of the logo image can be replaced by custom images,
such as a company logo or a product logo. Separate images are used to identify the
company and the product. The administrator can specify the desired image by selecting an
appropriate graphic file. The supported file formats are JPEG (with .jpg or .jpeg
extensions), GIF and PNG.
It is also possible to customize the hyperlinks on the parts of the logo image. Separate
hyperlinks are available on the company logo and the product logo. Thus, the hyperlink on
the company logo could be configured to navigate to the corporate Web site whereas the
hyperlink on the product logo could open a custom page with instructions on how to use
the product.
To view or modify the logo image settings
1. Open the Web Interface site in your web browser by clicking Customization on the
Navigation bar, then clicking Global Settings.
2. In the Product logo image area, view or change the image that is used to identify
the product:
l To use a different image, click Change and select a graphic file containing the
image you want.
l To revert to the standard image, click Restore Default.
3. In the Hyperlink on the product logo image area, view or change the address
(URL) of the Web page that opens when the user clicks the product logo image:
l To use a different address, type the address in the edit box.
l To remove the hyperlink from the product logo image, clear the edit box.
l To revert to the standard address, click Restore Default.
Active Roles 8.1.3 Web Interface Configuration Guide
81
Customizing the Web Interface
4. In the Company logo image area, view or change the image that is used to identify
the company:
l To use a different image, click Change and select a graphic file containing the
image you want.
l To revert to the standard image, click Restore Default.
5. In the Hyperlink on the company logo image area, view or change the address
(URL) of the Web page that opens when the user clicks the company logo image:
l To use a different address, type the address in the edit box.
l To remove the hyperlink from the company logo image, clear the edit box.
l To revert to the standard address, click Restore Default.
6. Click Save.
7. Click Reload to publish your changes.
Customizing the Web Interface site icon
The Web Interface has the default site icon, and provides a means to change the site icon.
A site icon, also called shortcut icon or favicon, is a small image that is associated with a
particular Web Interface site. You can change the site icon for each site separately.
When you open a Web Interface site in your Web browser, the site icon appears in the
browser’s address bar. The site icon also appears on the History and Favorites lists, making
it easier to identify the site. In addition, the site icon helps identify and differentiate the site
on the Windows taskbar.
TIP: The site icon must be in ICO format, square sized, and at least 16x16 pixels. One
Identity recommends using ICO files that contain the site icon image in several sizes
(16x16, 32x32, and 64x64), so that Windows can use a proper resolution icon for every
possible user interface scenario, including the browser address bar, the taskbar and for
larger icon image settings in Windows.
To change the Web Interface site icon
1. Open the Web Interface site in your web browser by clicking Customization on the
Navigation bar, then clicking Global Settings.
2. In the Web Interface site icon area, click Change and supply the ICO file
containing the desired icon.
3. Click Save, and then click Reload for the changes to take effect.
You can revert to the default icon by clicking Restore Default in the Web Interface site
icon area. To apply your changes, click Save, then click Reload.
Active Roles 8.1.3 Web Interface Configuration Guide
82
Customizing the Web Interface
Customizing the user name to show on the
Web Interface
By default, Active Roles Web Interface displays the name of the logged-in user in the area
above the Navigation bar, retrieving that name from the Display Name property of the user
account in Active Directory. If the Display Name property of the user is empty, the Web
Interface retrieves the value of the user's Name property.
However, this behavior may not be acceptable for every situation. For example, if a user
has two accounts (a regular account and an admin account providing elevated privileges)
with the same Display Name property, the user may be unable to specify which account was
used for login. To cover such cases, the Web Interface supports showing properties other
than the Display Name for the logged in user.
To select a user property to show for the logged in user on the Web Interface
1. Open the Web Interface site in your web browser. To do so, click Customization on
the Navigation bar, then click Global Settings.
2. Under Logged-on user name format, click the Change button, and then select
the user property you want.
3. Click Save, and then click Reload for the changes to take effect.
TIP: To identify which property is currently used for the presentation of the Web Interface
user, point to the user name under Logged-on user name format and review the
tooltip that appears. Thus, under default conditions, the tooltip reads as follows:
The 'Display Name' property is used as the name of the logged-on user in the
Web Interface. Click 'Change' to use a different property.
Customizing the Web Interface
Navigation bar
The left area on Web Interface pages, referred to as the Navigation bar, provides menu
items for navigating between Web Interface sections. By default, it includes a number of
top-level menu items. Expanding a top-level item on the Navigation bar may display
subordinate items. In this section, the collection of the items that are subordinate to a
given item is referred to as the menu group associated with that item.
You can add, modify, re-arrange, and remove menu items on menu groups and on the
Navigation bar. A point-and-click interface helps you manage the menu items and their
subordinate items, providing flexible options to customize the Navigation bar.
The changes you make to the Navigation bar affect every user of the Web Interface site.
For example, when you remove a menu item, the item is not displayed to any user of the
Web Interface site.
Active Roles 8.1.3 Web Interface Configuration Guide
83
Customizing the Web Interface
To customize the Navigation bar of the Web Interface
1. On the Home page of the Web Interface site, click Customization.
2. Click Customization Tasks; then, click Customize Navigation Bar in the
right pane.
3. In the hierarchical view of menu items, click to select the item you want to change,
and then use command buttons to make changes.
The following table provides an overview of changes you can make.
Table 2: Navigation bar customization tasks
Goal Procedure
Add an item to Click the Menu Bar entry, then click Add. Type a name for the new
the Navigation item and the URL of the page you want the new item to open. Then,
bar. click OK.
Add an item to a Click the item that the menu group is associated with, and then click
menu group. Add. Type a name for the entry, and the URL of the page you want
the new item to open or the name of the script function (command)
you want the item to execute. Then, click Add.
Change the Select the item and click the Up or Down arrow button.
position of an
item on the
Navigation bar or
within a menu
group.
Change the name Select the item and click Properties. Then, type the name you want,
of an item. and click OK.
Move an item to Select the item and click Move. Then, click the Menu Bar entry.
the Navigation Adjust the position of the item as needed by clicking arrow buttons
bar. and then click OK. (This also moves the entire menu group, if any,
associated with the item being moved.)
Move an item to a Select the item and click Move. Then, click the item that the
menu group. destination menu group is associated with. Adjust the position of the
item as needed by clicking arrow buttons and then click OK. (This
also moves the entire menu group, if any, associated with the item
being moved.)
Hide an item so Select the item and click Hide. (To display an item that is hidden,
that it does not select the hidden item and click Unhide.)
appear on the
Navigation bar.
Active Roles 8.1.3 Web Interface Configuration Guide
84
Customizing the Web Interface
Customizing the Web Interface Home
page
The Home page of the Web Interface site includes a number of items that serve as entry
points to individual sections of the Web Interface. Each item occupies a clickable area on
the Home page, and includes the caption (name of the item), text describing the item and a
picture providing a graphical illustration of the item. Clicking an item displays a page that is
identified by a certain property of the item (this property is referred to as “URL to open”).
You can add, modify, re-arrange, and remove items on the Home page. A point-and-
click interface helps you manage the items, providing flexible options to customize
the Home page.
The changes you make to the Home page affect every user of the Web Interface site. For
example, when you remove an item from the Home page, the item is not displayed to any
user of the Web Interface site.
To customize the Home page
1. On the Home page of the Web Interface site, click Customization.
2. Click Customization Tasks; then, click Customize Home Page in the right pane.
3. In the list of items, click to select the item you want to change, then use command
buttons to make changes.
The following table provides an overview of changes you can make
Table 3: Home page customization tasks
Goal Procedure
Add an item to the Click Add. Type a name for the new item and the URL of the page
Home page. you want the new item to open. Optionally, type any text to
display in the item area, and change the picture for the item.
Then, click OK.
Change the position Select the item and click the Up or Down arrow button.
of an item on the
Home page.
Change the name or Select the item and click Properties. Then, type the name or
description text of an description text you want, then click OK.
item.
Change the picture Select the item and click Properties. Under the Picture to
to be displayed in the display label, click Change. Type the path and name of the
item area. picture file, or click Browse to select and open the picture file.
Then, click OK.
Hide an item so that Select the item and click Hide. (To display an item that is hidden,
it does not appear on select the item and click Unhide.)
Active Roles 8.1.3 Web Interface Configuration Guide
85
Customizing the Web Interface
Goal Procedure
the Web Interface
pages.
By adding a home page item, you can customize the Web Interface to integrate custom
applications together with the Web Interface pages. The Advanced properties section in
the dialog box for managing a home page item provides the Open the URL in a frame
option for this purpose.
With the Open the URL in a frame option, a home page item can be configured to open a
Web application so that the application’s pages are embedded in a standard Web Interface
page. When this option is selected, the page identified by the URL to open property of the
home page item is embedded in a Web Interface page instead of being displayed in place of
the Web Interface page in the Web browser window.
The Advanced properties section also provides the ability to configure a home page item
so that a number of optional parameters are automatically appended to the query string of
the URL when the user clicks the item. This enables the Web Interface to pass certain data
to the Web application associated with the home page item. You can modify parameter
names. The parameter values are generated by the Web Interface when the user clicks the
home page item. The following table summarizes the available parameters.
Table 4: Query string parameters
Parameter Parameter Value
Name
DN Distinguished Name (DN) of the user account of the Web Interface user.
Example:
DN=CN%3dAaron%20Beh%20Santos%2cOU%3dEmployees%2cDC%3d
Domain%2cDC%3dCompany%2cDC%3dCom
Identification DNS name of the Active Directory domain that holds the user account of
Domain the Web Interface user. Example:
IdentificationDomain=domain.company.com
Identification Pre-Windows 2000 name (sAMAccountName) of the user account of the
Account Web Interface user. Example: IdentificationAccount=ASantos
LCID Hex code of the locale identifier specific to the Web Interface language
selected by the Web Interface user. Example: LCID=409
IsDsAdmin “True” or “False” depending on whether or not the Web Interface user is
assigned to the Active Roles Admin role and thus has administrative rights
on Active Roles. Example: IsDsAdmin=False
CurrentLang Locale name specific to the Web Interface language selected by the Web
uage Interface user. Example:
CurrentLanguage=en-US
PortalHomeP URL of the Home page of the Web Interface site you are customizing.
Active Roles 8.1.3 Web Interface Configuration Guide
86
Customizing the Web Interface
Parameter Parameter Value
Name
age Example: PortalHomePage=http://Server/ARServerSelfService
TaskID The identifier of the Web Interface command used to open the URL.
Example: TaskID=d8371ae8-1215-40ac-b0c4-391c3225a426
Configuring Web Interface for
enhanced security
By default, Web Interface users connect to the Web Interface using an HTTP transport,
which does not encrypt the data transferred from a web browser to the Web Interface. To
use a secure transport for transferring data to the Web Interface, One Identity
recommends using an HTTPS transport.
The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided
by the web server for data encryption. For instructions on how to enable SSL on your web
server, see How to Set Up SSL on IIS 7 or later in the Microsoft IIS documentation.
Any Web Interface instance is prone to security issues, such as Cross-Site Request Forgery
(CSRF) and Cross-site Scripting (XSS ) attacks. To prevent and protect the Web Interface
against such attacks, you can also configure CSRF and XSS protection.
l Cross-Site Request Forgery (CSRF) attacks can force users to run unwanted actions
on the Active Roles web application in which they are currently authenticated. To
prevent CSRF requests , configure Active Roles to use anti-forgery protections.
l Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts
are injected into otherwise benign and trusted websites. To prevent against such
attacks, any script that is sent to Active Roles must be validated for malicious content
before accepting and running the script. To perform the script validation, enable XSS
for Active Roles.
To configure a key-value pair for a Web Interface site in IIS
1. In the operating system, launch Internet Information Services (IIS) Manager.
2. Under the Connections node, navigate to <computer-name> > Sites > Default
Web Site, then select the Web Interface site you want to configure. The default sites
are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
3. In the center pane, double-click Configuration Editor. Then, from the Section
drop-down, select <Settings>.
4. Click on the button corresponding (Count=*), and click Add in the right pane.
5. Enter the following values:
Active Roles 8.1.3 Web Interface Configuration Guide
87
Customizing the Web Interface
a. Key: <keyname>
b. Value: <value>
6. Close the window, then under the Actions menu in the right pane, click Apply .
7. To apply your changes in Active Roles, restart the app pool.
Modifying Cross-Site Request Forgery for
Web Interface
To prevent Cross-Site Request Forgery (CSRF) requests, the Active Roles Web Interface
uses anti-forgery protection. This protection is enabled by default: if you must modify it for
any reason (for example, to specify any exceptions), perform the following steps.
NOTE: If CSRF is enabled, then with the exception of the Web Interface Home page:
l You cannot copy the URL of any other Web Interface page and open them in a new
browser tab or window.
l You cannot open bookmarked URLs.
To modify Cross-Site Request Forgery settings for a Web Interface site
1. In the operating system, launch Internet Information Services (IIS) Manager.
2. Under the Connections node, navigate to <computer-name> > Sites > Default
Web Site, then select the Web Interface site you want to configure. The default sites
are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
3. In the center pane, double-click Configuration Editor. Then, from the Section
drop-down, select web.config > <appSettings>.
4. To modify the existing CSFR settings, add the following script:
<add key ="EnableAntiForgery" value="true"/> <!--Key to enable or disable
anti-forgery , Values= true or false -->
<add key="IgnoreValidation"
value="choosecolumns,savetofile,customizeform,default,2fauth,formmap"/>
5. Close the window, then under the Actions menu in the right pane, click Apply .
6. To apply your changes in Active Roles, restart the app pool.
Disabling or modifying Cross-Site Scripting
validation for Web Interface
Cross-Site Scripting (XSS) protection allows Active Roles to determine whether a request
contains potentially dangerous content. This protection is enabled by default in the Active
Active Roles 8.1.3 Web Interface Configuration Guide
88
Customizing the Web Interface
Roles Web Interface, but you can disable or modify it via the Internet Information Services
(IIS) Manager application of the operating system.
NOTE: One Identity strongly recommends to:
l Keep XSS protection enabled.
l Modify the default XSS protection settings only if your environment contains
additional services (such as Skype for Business Server) that require adaptations.
To disable Cross-Site Scripting protection for the Web Interface
1. In the operating system, launch Internet Information Services (IIS) Manager.
2. Under the Connections node, navigate to <computer-name> > Sites > Default
Web Site, then select the Web Interface site you want to configure. The default sites
are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
3. In the center pane, double-click Configuration Editor. Then, from the Section
drop-down, select web.config > <appSettings>.
4. To disable XSS, set the value of the following script to "false":
<add key="EnableRequestValidation" value="false"/>
5. In the Section drop-down, select system.web > <pages />, then set the
following key:
validateRequest="false"
6. Close the window, then under the Actions menu in the right pane, click Apply.
7. To apply your changes in Active Roles, restart the app pool.
To modify Cross-Site Scripting settings for the Web Interface
1. In the operating system, launch Internet Information Services (IIS) Manager.
2. Under the Connections node, navigate to <computer-name> > Sites > Default
Web Site, then select the Web Interface site you want to configure. The default sites
are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
3. In the center pane, double-click Configuration Editor. Then, from the Section
drop-down, select web.config > <appSettings>, and find the following script:
<add key="IgnoreForValidation"
value="hiddenxml,homepagestruct,txtconditionsforoperationsinreadablefor
m"/>
4. For environments that also use Microsoft Lync Server or Skype for Business Server,
add the following exceptions to the existing value:
Active Roles 8.1.3 Web Interface Configuration Guide
89
Customizing the Web Interface
dialplanpolicytextbox,voicepolicytextbox,edsva-lync-
conferencingpolicy,edsva-lync-clientversionpolicy,edsva-lync-
pinpolicy,edsva-lync-externalaccesspolicy,edsva-lync-
archivingpolicy,edsva-lync-locationpolicy,edsva-lync-mobilitypolicy,edsva-
lync-persistentchatpolicy,edsva-lync-clientpolicy
Active Roles 8.1.3 Web Interface Configuration Guide
90
Customizing the Web Interface
9
Default Commands
The following sections list the default commands available in the default Web
Interface sites.
l Default commands on the Web Interface Administrator Site
l Default commands on the Web Interface Helpdesk Site
Default commands on the Web
Interface Administrator Site
The default configuration of the Web Interface Administration Site includes the commands
listed in the following tables.
Domain menu
The Domain menu of the Web Interface Administration Site includes the following
default commands.
Table 5: Domain Menu
Command Description
New Organizational Unit Creates an Organizational Unit.
Properties Lets you view or modify properties of a domain.
View Contents Displays a list of objects that reside in a domain.
Change Operational DC Lets you select a domain controller to use.
Change History Lists the changes that were made to a domain.
View or Restore Deleted View or restore objects that were deleted from a
Objects domain.
Active Roles 8.1.3 Web Interface Configuration Guide
91
Default Commands
Container or OU menu
The Container or OU menu of the Web Interface Administration Site includes the following
default commands.
Table 6: Container or OU menu
Command Description
New User Creates a user account in a container or Organizational Unit.
New Group Creates a group in a container or Organizational Unit.
New Computer Creates a computer in a container or Organizational Unit.
New Organizational Creates an Organizational Unit in an Organizational Unit.
Unit
New Shared Folder Creates a shared folder in an Organizational Unit.
New Contact Creates a contact in a container or Organizational Unit.
New Printer Creates a printer (printQueue) object in a container or
Organizational Unit.
New Room Mailbox Creates a user account associated with a room mailbox in a
container or Organizational Unit.
New Equipment Creates a user account associated with an equipment mailbox in a
Mailbox container or Organizational Unit.
New Linked Creates a user account associated with a linked mailbox in a
Mailbox container or Organizational Unit.
New Shared Creates a user account associated with a shared mailbox in a
Mailbox container or Organizational Unit.
Restore Restores a deleted container or Organizational Unit in a domain
where Active Directory Recycle Bin is enabled.
Delete Deletes a container or Organization Unit.
Move Moves a container or Organization Unit to a different location.
Rename Renames a container or Organizational Unit.
Change History Lists the changes that were made to a container or Organizational
Unit.
Properties Lets you view or modify properties of a container or Organizational
Unit.
View Contents Displays a list of objects that reside in a container or Organizational
Unit.
View or Restore View or restore objects that were deleted from a container or
Deleted Objects organizational unit.
Active Roles 8.1.3 Web Interface Configuration Guide
92
Default Commands
Managed Unit menu
The Managed Unit menu of the Web Interface Administration Site includes the following
default commands.
Table 7: Managed Unit menu
Command Description
Members Displays a list of objects that are members of a Managed Unit.
View or Restore View or restore deleted objects that were direct members of a
Deleted Objects given Managed Unit at the time of deletion.
User menu
The User menu of the Web Interface Administration Site includes the following
default commands.
Table 8: User Menu
Command Description
Deprovisioning On a deprovisioned user account, lets you examine the changes that
Results were made to the account by the deprovisioning policies.
Undo On a deprovisioned user account, rolls back the changes that were
Deprovisioning made to the account by the deprovisioning policies.
Disable Account Disables a user account, or enables a disabled user account.
/ Enable Account
Reset Password Resets the password for a user account.
Delete Deletes a user account.
Restore Restores a deleted user account in a domain where Active Directory
Recycle Bin is enabled.
Deprovision Performs all actions on a user account that are prescribed by the
deprovisioning policies.
Move Moves a user account to a different location.
Copy Copies a user account.
Rename Renames a user account.
Member Of Lets you add or remove a user account from groups.
Active Roles 8.1.3 Web Interface Configuration Guide
93
Default Commands
Command Description
Change History Lists the changes that were made to a user account.
User Activity Lists the changes that were made by a user account.
General Lets you view or modify general properties of a user account.
Properties
Managed Lets you view objects for which a given user is assigned as the
Resources manager (primary owner) or a secondary owner.
Exchange Lets you view or modify Exchange-related properties of a user
Properties account.
Terminal Lets you view or modify Terminal Services-related properties of a user
Services account.
Properties
Dial-in Lets you view or modify dial-in properties of a user account.
Properties
Name Mappings Lets you add, edit, or remove certificates and Kerberos names to user
accounts. This functionality is similar to ADUC Name Mappings that
allows you to add certificates and Kerberos names to users.
Create User Creates a user mailbox associated with an existing user account.
Mailbox
Create Room Creates a room mailbox associated with an existing user account.
Mailbox
Create Creates an equipment mailbox associated with an existing user
Equipment account.
Mailbox
Create Linked Creates a linked mailbox associated with an existing user account.
Mailbox
Create Shared Creates a shared mailbox associated with an existing user account.
Mailbox
Move Mailbox Moves a mailbox.
Delete Mailbox Deletes a mailbox.
Establish E-mail Establishes an e-mail address for a user account.
Address
Delete E-mail Deletes an e-mail address for a user account.
Address
Remove Removes all Exchange attributes from a user account.
Exchange
Attributes
Active Roles 8.1.3 Web Interface Configuration Guide
94
Default Commands
Group menu
The Group menu of the Web Interface Administration Site includes the following
default commands.
Table 9: Group menu
Command Description
Deprovisioning On a deprovisioned group, lets you examine the changes that were
Results made to the group by the deprovisioning policies.
Undo On a deprovisioned group, rolls back the changes that were made to
Deprovisioning the group by the deprovisioning policies.
Members Lets you view or modify the list of members of a group.
To view the total number of members of a group:
1. In the Web Interface, select the group, and then choose the
Members option from the navigation bar.
The Members page displays the number of members in the
group.
2. Select Show indirect members and Show pending
members check boxes.
The Members page displays the number of members including
the indirect members and pending members in the group.
Member Of Lets you add or remove a group from another group or groups.
Controlled Groups On a group that stores the configuration of a Group Family, this
command lets you view the groups controlled by that Group Family.
Restore Restores a deleted group in a domain where Active Directory
Recycle Bin is enabled.
Delete Deletes a group.
Deprovision Performs all actions on a group that are prescribed by the
deprovisioning policies.
Move Moves a group to a different location.
Copy Copies a group.
Rename Renames a group.
Change History Lists the changes that were made to a group.
General Properties Lets you view or modify general properties of a group.
Exchange Lets you view or modify Exchange-related properties of a group.
Properties
Active Roles 8.1.3 Web Interface Configuration Guide
95
Default Commands
Command Description
Establish E-mail Establishes an e-mail address for a group.
Address
Delete E-mail Deletes an e-mail address for a group.
Address
Hide Membership / Hides / displays the members of a group in the Global Address List.
Unhide
Membership
Remove Exchange Removes all Exchange attributes from a group.
Attributes
Computer menu
The Computer menu of the Web Interface Administration Site includes the following
default commands.
Table 10: Computer menu
Command Description
Enable Account / Disables or enables a computer account.
Disable Account
Reset Account Resets a computer account.
Restore Restores a deleted computer account in a domain where Active
Directory Recycle Bin is enabled.
Delete Deletes a computer account.
Move Moves a computer account to a different location.
Restart Lets you restart the computer represented by a computer account.
Manage Lets you managed computer resources, such as printers, services,
devices, shares, local users, and local groups.
Member Of Lets you add or remove a computer account from groups.
Change History Lists the changes that were made to a computer account.
Properties Lets you view or modify properties of a computer account.
Active Roles 8.1.3 Web Interface Configuration Guide
96
Default Commands
Default commands on the Web
Interface Helpdesk Site
The default configuration of the Web Interface Helpdesk Site includes the commands listed
in the following tables.
Domain menu
The Domain menu of the Web Interface Helpdesk Site contains the following
commands by default.
Table 11: Domain menu
Command Description
View Contents Displays a list of objects that reside in a domain.
Change Operational DC Lets you select a domain controller to use.
Container or OU menu
The Container or OU menu of the Web Interface Helpdesk Site contains the following
commands by default.
Table 12: Container or OU menu
Command Description
View Contents Displays a list of objects that reside in a container or Organizational Unit.
Change Lists the changes that were made to a container or Organizational Unit.
History
Managed Unit menu
The Managed Unit menu of the Web Interface Helpdesk Site contains the following
commands by default.
Table 13: Managed Unit menu
Command Description
Members Displays a list of objects that are members of a Managed Unit.
Active Roles 8.1.3 Web Interface Configuration Guide
97
Default Commands
User menu
The User menu of the Web Interface Helpdesk Site contains the following
commands by default.
Table 14: User menu
Command Description
Deprovisioning On a deprovisioned user account, lets you examine the changes that
Results were made to the account by the deprovisioning policies.
Undo On a deprovisioned user account, rolls back the changes that were
Deprovisioning made to the account by the deprovisioning policies.
Disable Account / Disables a user account, or enables a disabled user account.
Enable Account
Reset Password Resets the password for a user account.
Deprovision Performs all actions on a user account that are prescribed by the
deprovisioning policies.
Member Of Lets you add or remove a user account from groups.
Change History Lists the changes that were made to a user account.
General Lets you view or modify general properties of a user account.
Properties
Managed Lets you view objects for which a given user is assigned as the
Resources manager (primary owner) or a secondary owner.
Group menu
The Group menu of the Web Interface Helpdesk Site contains the following
commands by default.
Table 15: Group menu
Command Description
Deprovisioning On a deprovisioned group, lets you examine the changes that were
Results made to the group by the deprovisioning policies.
Undo On a deprovisioned group, rolls back the changes that were made to
Deprovisioning the group by the deprovisioning policies.
Members Lets you view or modify the list of members of a group.
Active Roles 8.1.3 Web Interface Configuration Guide
98
Default Commands
Command Description
Member Of Lets you add or remove a group from another group or groups.
Deprovision Performs all actions on a group that are prescribed by the
deprovisioning policies.
General Lets you view or modify general properties of a group.
Properties
Active Roles 8.1.3 Web Interface Configuration Guide
99
Default Commands
About us
About us
One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.
Active Roles 8.1.3 Web Interface Configuration Guide
100
About us
Contacting us
For sales and other inquiries, such as licensing, support, and renewals, visit
https://www.oneidentity.com/company/contact-us.aspx.
Active Roles 8.1.3 Web Interface Configuration Guide
101
Contacting us
Technical support resources
Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
l Submit and manage a Service Request
l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to videos at www.YouTube.com/OneIdentity
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product
Active Roles 8.1.3 Web Interface Configuration Guide
102
Technical support resources
Glossary
Glossary
C
Cadence icons
One Identity font that contains standard icons used in the user interfaces for
various One Identity products.
Channel Policy
The channel policy lists the SSH channels (for example terminal session, SCP, and
so on) that can be used in a connection. The channel policy can further restrict
access to each channel based on the IP address of the client or the server, a user
list, or a time policy.
D
Drop-down
Flare default style that can be used to group content within a topic. It is a resource
to structure and collapse content especially in non-print outputs.
G
Glossary
List of short definitions of product-specific terms.
N
Note
Circumstance that needs special attention.
S
SaaS
Software-as-a-Service.
Skin
Used to design the online output window.
Snippet
Flare file type that can be used to reuse content. The One Identity Active Roles
contains various default snippets.
Active Roles 8.1.3 Web Interface Configuration Guide
103
Glossary
SPS
Safeguard for Privileged Sessions
T
Tip
Additional, useful information.
Active Roles 8.1.3 Web Interface Configuration Guide
104
Glossary
Index
Index
Active Roles 8.1.3 Web Interface Configuration Guide
105
Index
You might also like
- ActiveRoles_Web_Interface_Administration_GuideNo ratings yetActiveRoles_Web_Interface_Administration_Guide97 pages
- ActiveRoles Predefined Access Templates GuideNo ratings yetActiveRoles Predefined Access Templates Guide51 pages
- ActiveRoles_SynchronizationServiceAdministrationGuideNo ratings yetActiveRoles_SynchronizationServiceAdministrationGuide435 pages
- One Identity Manager Installation GuideNo ratings yetOne Identity Manager Installation Guide189 pages
- ActiveRoles 7.3 Azure AD Office365 Administration GuideNo ratings yetActiveRoles 7.3 Azure AD Office365 Administration Guide58 pages
- ActiveRoles 7.2 Azure AD Office365 Administrator GuideNo ratings yetActiveRoles 7.2 Azure AD Office365 Administrator Guide46 pages
- OneIM OperationsSupportWebPortal UserGuideNo ratings yetOneIM OperationsSupportWebPortal UserGuide48 pages
- OneIM AzureActiveDirectory AdministrationNo ratings yetOneIM AzureActiveDirectory Administration248 pages
- ActiveRoles_Synchronization_Service_Administration_GuideNo ratings yetActiveRoles_Synchronization_Service_Administration_Guide421 pages
- J2EE Open Source Toolkit: Building an Enterprise Platform with Open Source Tools (Java Open Source Library)From EverandJ2EE Open Source Toolkit: Building an Enterprise Platform with Open Source Tools (Java Open Source Library)No ratings yet
- Identify and Acess Management Lab 1 - Practices 1No ratings yetIdentify and Acess Management Lab 1 - Practices 18 pages
- OneIM AzureActiveDirectory AdministrationNo ratings yetOneIM AzureActiveDirectory Administration160 pages
- Identify and Acess Management Lab 1 - Practices 2No ratings yetIdentify and Acess Management Lab 1 - Practices 28 pages
- Architecting Enterprise Solutions: Patterns for High-Capability Internet-based SystemsFrom EverandArchitecting Enterprise Solutions: Patterns for High-Capability Internet-based Systems2/5 (1)
- Workspace - One - Intelligence - 2024 05 16 14 01 53No ratings yetWorkspace - One - Intelligence - 2024 05 16 14 01 53489 pages
- Scalabilityand High Availabilityin SafeguardNo ratings yetScalabilityand High Availabilityin Safeguard21 pages
- Vmware Workspace One Overview and Documentation Reference Guide100% (1)Vmware Workspace One Overview and Documentation Reference Guide29 pages
- Administration Guide For SAP Enterprise Contract AssemblyNo ratings yetAdministration Guide For SAP Enterprise Contract Assembly48 pages
- Apps - Iprocurement Interview Questions in Oracle PDFNo ratings yetApps - Iprocurement Interview Questions in Oracle PDF5 pages
- General Terms and Conditions of The Website WWW - Luckycrush.liveNo ratings yetGeneral Terms and Conditions of The Website WWW - Luckycrush.live13 pages
- Certiology Com Computing Certified Ethical Hacker G Study Guide Footprinting and Reconnaissance HTMLNo ratings yetCertiology Com Computing Certified Ethical Hacker G Study Guide Footprinting and Reconnaissance HTML1 page
- Informatics Computer School CS114 Web Publishing: HTML Lesson 1No ratings yetInformatics Computer School CS114 Web Publishing: HTML Lesson 115 pages
- Networking - Fataft - Lovejeet Arora 12ipNo ratings yetNetworking - Fataft - Lovejeet Arora 12ip22 pages
- Software Requirement Specification FOR Online Matrimonial SystemNo ratings yetSoftware Requirement Specification FOR Online Matrimonial System7 pages
- Web Usability Issues Challenges and SoluNo ratings yetWeb Usability Issues Challenges and Solu6 pages
- Web and Internet Technologies: Lecture Notes OnNo ratings yetWeb and Internet Technologies: Lecture Notes On43 pages
- Dissertation Philosophie Le Bonheur Est Il Une Illusion100% (1)Dissertation Philosophie Le Bonheur Est Il Une Illusion8 pages
- ActiveRoles_SynchronizationServiceAdministrationGuideActiveRoles_SynchronizationServiceAdministrationGuide
- ActiveRoles 7.3 Azure AD Office365 Administration GuideActiveRoles 7.3 Azure AD Office365 Administration Guide
- ActiveRoles 7.2 Azure AD Office365 Administrator GuideActiveRoles 7.2 Azure AD Office365 Administrator Guide
- ActiveRoles_Synchronization_Service_Administration_GuideActiveRoles_Synchronization_Service_Administration_Guide
- J2EE Open Source Toolkit: Building an Enterprise Platform with Open Source Tools (Java Open Source Library)From EverandJ2EE Open Source Toolkit: Building an Enterprise Platform with Open Source Tools (Java Open Source Library)
- Architecting Enterprise Solutions: Patterns for High-Capability Internet-based SystemsFrom EverandArchitecting Enterprise Solutions: Patterns for High-Capability Internet-based Systems
- Workspace - One - Intelligence - 2024 05 16 14 01 53Workspace - One - Intelligence - 2024 05 16 14 01 53
- Developing Web Applications with ASP.NET and C#From EverandDeveloping Web Applications with ASP.NET and C#
- Vmware Workspace One Overview and Documentation Reference GuideVmware Workspace One Overview and Documentation Reference Guide
- Administration Guide For SAP Enterprise Contract AssemblyAdministration Guide For SAP Enterprise Contract Assembly
- Apps - Iprocurement Interview Questions in Oracle PDFApps - Iprocurement Interview Questions in Oracle PDF
- General Terms and Conditions of The Website WWW - Luckycrush.liveGeneral Terms and Conditions of The Website WWW - Luckycrush.live
- Certiology Com Computing Certified Ethical Hacker G Study Guide Footprinting and Reconnaissance HTMLCertiology Com Computing Certified Ethical Hacker G Study Guide Footprinting and Reconnaissance HTML
- Informatics Computer School CS114 Web Publishing: HTML Lesson 1Informatics Computer School CS114 Web Publishing: HTML Lesson 1
- Software Requirement Specification FOR Online Matrimonial SystemSoftware Requirement Specification FOR Online Matrimonial System
- Dissertation Philosophie Le Bonheur Est Il Une IllusionDissertation Philosophie Le Bonheur Est Il Une Illusion