https://www.oneidentity.com/community/active-roles/en-USTelligent Community 13https://www.oneidentity.com/community/active-roles/f/forum/39810/determining-effective-permissions/92611Thu, 07 May 2026 04:55:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:510e4331-f333-47a0-bcd4-81a53e25367cShawn.FerrierThanks, Jose! That is useful, but ultimately I was hoping that I could access something that would straight-up tell me what privileges I have without having to calculate the cumulative total of what all of the templates contain. The best that I've come up with is to use edsaObjetRightsEffective to calculate object-level rights, then rely on allowedAttributesEffective to tell me what attributes are writable by the current user. Not quite as nice as having something that would explicitly tell you "You have effective Read to this list of attributes, and Write to these", but it seems like the closes I can get. EDIT: Seems that I'm having some site difficulty and it's not allowing me to submit a code block; hopefully the code below doesn't get too mangled. --- $ObjectPath = "EDMS://CN=myObject,OU=SomeOU,DC=domain,DC=com" $adObject = [adsi]$ObjectPath $adObject.RefreshCache(@("distinguishedName", "edsaObjectRightsEffective", "allowedAttributesEffective")) $rightsMap = [ordered]@{ EDS_RIGHT_DS_CREATE_CHILD = 1 EDS_RIGHT_DS_DELETE_CHILD = 2 EDS_RIGHT_ACTRL_DS_LIST = 4 EDS_RIGHT_DS_SELF = 8 EDS_RIGHT_DS_READ_PROP = 16 EDS_RIGHT_DS_WRITE_PROP = 32 EDS_RIGHT_DS_DELETE_TREE = 64 EDS_RIGHT_DS_LIST_OBJECT = 128 EDS_RIGHT_DS_CONTROL_ACCESS = 256 EDS_RIGHT_EDS_COPY = 512 EDS_RIGHT_EDS_MOVE = 2048 EDS_RIGHT_EDS_MOVE_TO = 4096 EDS_RIGHT_DELETE = 65536 EDS_RIGHT_READ_CONTROL = 131072 EDS_RIGHT_WRITE_DAC = 262144 EDS_RIGHT_WRITE_OWNER = 524288 } $effectiveRightsValue = [int64]$adObject.Properties["edsaObjectRightsEffective"].Value $effectiveRightsNames = foreach ($entry in $rightsMap.GetEnumerator()) { if (($effectiveRightsValue -band [int64]$entry.Value) -eq [int64]$entry.Value) { $entry.Key } } ("adObject: '$($adObject.distinguishedName)'.") | Write-Host ("edsaObjectRightsEffective value: $effectiveRightsValue.") | Write-Host if ($effectiveRightsNames) { $effectiveRightsNames | ForEach-Object { ("`t{0}" -f $_) | Write-Host } } else { "`t(none recognized)" | Write-Host } # allowedAttributesEffective (AD): attributes the caller may write on this object. # Infer each listed ldapDisplayName as EDS_RIGHT_DS_WRITE_PROP scoped to that property. Write-Host "" Write-Host "allowedAttributesEffective (inferred EDS_RIGHT_DS_WRITE_PROP per attribute):" try { $aaeRaw = $adObject.Properties["allowedAttributesEffective"].Value $aaeList = @( if ($null -eq $aaeRaw) { } elseif ($aaeRaw -is [System.Collections.IEnumerable] -and -not ($aaeRaw -is [string])) { foreach ($item in $aaeRaw) { [string]$item } } else { [string]$aaeRaw } ) | Where-Object { $_ -and $_.Length -gt 0 } | Sort-Object -Unique if ($aaeList.Count -eq 0) { Write-Host "`t(no attributes listed, or attribute unavailable on this binding)" } else { foreach ($attr in $aaeList) { Write-Host ("`tEDS_RIGHT_DS_WRITE_PROP -> '{0}'" -f $attr) } Write-Host ("`t({0} writable attribute(s))" -f $aaeList.Count) } } catch { Write-Host ("`t(error reading allowedAttributesEffective: {0})" -f $_.Exception.Message) } $null = $adObject.Dispose()https://www.oneidentity.com/community/active-roles/f/forum/39810/determining-effective-permissions/92610Wed, 06 May 2026 15:24:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:12c4dc88-df55-4304-9b68-a55bf49452d0Jose.Martinez.PoyatoHi Shawn, The script published in the following thread is very useful: (+) Access Template Link Reporting - Forum - Active Roles Community - One Identity Community You can query a specific delegate, and the output will show the specific ACLs granted to this delegate and the target where the delegate has these permissions applied to: Josehttps://www.oneidentity.com/community/active-roles/f/forum/39810/determining-effective-permissionsTue, 05 May 2026 18:06:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:2ce6b914-1357-4a4d-ac94-06d8be8ea726Shawn.FerrierThis is something that I've wondered about here and there over the years, but never really had a good answer to. How is one intended to determine effective permissions for the interactive user at runtime? There is edsaObjectRightsEffective , but that only tells you effective rights at the object-level, not the attribute level. There is edsvaATLinksEffective , which should work, but that means I would have to loop through all of the templates, calculate/expand group membership for each applied item, and accumulate them all into a table to determine effective rights - a very resource-intensive (aka slow) proposition, I'm sure. Active Roles must have already calculated this, but I cannot seem to figure out how to access this. I tried querying nTSecurityDescriptor and edsaActiveDirectoryACEs , but neither of these are accessible to a delegated user. Obviously both the MMC and Web interface have some kind of mechanism for making this determination (how else would the product know that the description attribute should be rendered read-only because the interactive user does not have write privileges to it, for example), but I'm too dumb to figure it out. TL;DR: How do you programmatically determine if the interactive user has privileges to modify the description attribute on a user? Thanks!https://www.oneidentity.com/community/active-roles/f/forum/39802/exchange-properties-not-showing-full-access-in-8-2-1Thu, 30 Apr 2026 08:56:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:7705c603-ad23-4b70-a1cd-ce94bd9cf51echarleneforbesHi everyone, There was a bug from a previous version of Active Roles from a few years ago where searching for an account and going to Exchange Online Properties didn't show anyone in Full Access but did in Send As. The Full Access does show if you go to the azure object and then go to advanced email properties, just not if you do a quick search and look at the user. We've recently updated to 8.2.1 and I've just discovered that bug seems to be back. Has anyone else come across this and is there a way to resolve it? Thanks8.2.1Active RolesActive Roles WebExchange Onlinehttps://www.oneidentity.com/community/active-roles/f/forum/39798/how-to-show-workflow-result-notification-to-user-in-web-interface---ars-8-2-1Wed, 29 Apr 2026 08:45:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:c7919e0b-026f-4bfe-976f-d2618ad5018dCarlitosHi community, I'm working on Active Roles 8.2.1 and need to display a visual notification to the user in the Web Interface after a group membership change workflow completes its execution. The scenario is: when a user adds or removes a member from a group, a workflow triggers and calls the Microsoft Graph API to sync an attribute in Entra ID. I want the user who made the change to immediately see the result — a green banner if the sync was successful, or a red banner with the error message if something failed. What I have tried: I wrote the workflow result to 3 virtual attributes on the group and displayed them in the General Properties form. This works, but has two problems: the user has to navigate to General Properties to see the result, and the message is visible to all users who open the group, not just the one who made the change. I also tried implementing ICustomCommand from ActiveRoles.Web.Interfaces in a .NET Framework 4.8 DLL to render an HTML banner directly on the group form. The DLL compiles without errors and is deployed in the Web Interface bin folder, but it does not appear as an available entry in the Form Editor. The question: Is there any way — whether native, through virtual attributes, Web Interface customization, ICustomCommand DLL, ASPX page modification, or any other mechanism, to display a custom notification or message to the user directly in the Web Interface as a result of a workflow execution? Has anyone achieved something similar in AR 8.2 or previous versions, and how did you solve it? Thank you!https://www.oneidentity.com/community/active-roles/f/forum/39792/prompt-ticket-reference-number-for-when-modifying-updating-user-s-properties/92581Mon, 27 Apr 2026 12:06:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:386ba1ab-bb04-405c-bb3b-6d5c944e71e8sanjivramHello Shawn, Thank you for the update. Could you please confirm whether it’s possible to create a policy that enforces the completion of the “Notes” field under “Operation Reason”? If so, I would appreciate your guidance on how to set up such a policy, as I’m not very familiar with ARS. Many thanks for your help.https://www.oneidentity.com/community/active-roles/f/forum/39792/prompt-ticket-reference-number-for-when-modifying-updating-user-s-properties/92577Fri, 24 Apr 2026 17:15:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:0dc9d5c2-d8b2-4489-9355-c2853dedc793Shawn.FerrierHello, Sanjivram. In this case, I would suggest using an attribute (probably virtual, and not a stored value) to capture the ticket number, then use a policy and workflow to make that attribute mandatory. The policy is useful for some circumstances , where the workflow is better in others, but they can cooperate to ensure that your ticket number attribute is populated whenever certain changes are made. With a small scripted policy, you can then take that ticket number attribute and store it as the "Operation Reason" control. This is a built-in control value, and is already shown in the Change History reports (you can see this if you look at any Change History record today; it's typically only populated if/when a change is subject to approval and the initiator provides a reason for their change). Hope that helps! Shawnhttps://www.oneidentity.com/community/active-roles/f/forum/39792/prompt-ticket-reference-number-for-when-modifying-updating-user-s-propertiesFri, 24 Apr 2026 16:37:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:791fa803-4a2e-42df-ba41-7317d91a6706sanjivramHi Team, We are part of the JML (Joiners, Movers, and Leavers) processing team and would like to ensure that any changes made to user attributes are properly tracked. Specifically, we are looking to capture and reference the associated change ticket number for each update, to maintain clear audit and traceability within ARS 8.1. Could you please advise on the best way to record or link change ticket references within ARS 8.1? Any recommended approach or best practice would be greatly appreciated. Kind regards, Sanjivramhttps://www.oneidentity.com/community/active-roles/f/forum/39785/how-to-save-change-log-history-for-many-years/92569Thu, 23 Apr 2026 14:49:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:3cfc4522-7375-4ad3-a4ac-c5f34e67b512Shawn.FerrierTo add to what the other two gentlemen have already provided, in case you're not aware, there is a tool that is included in the Active Roles installation media - though it is a separate install - called the Collector. One of the purposes of this tool is to gather the Active Roles event logs (from all AR servers) into a single database ( completely separate from all other Active Roles databases). You then have the ability to use SQL Reporting Services-based reports (deployable from within the Collector) to run reports against this database. Obviously this is a bit old-school, but for event collection, it is serviceable. Obviously if you have a tool like Splunk or InTrust, you would be better off, but this will work if you don't have budget for additional tools.https://www.oneidentity.com/community/active-roles/f/forum/39785/how-to-save-change-log-history-for-many-years/92567Thu, 23 Apr 2026 14:08:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:fa3e4633-797a-473f-a473-507e3aa9502aTerrance.CrombieI really don't recommend doing this. Active Roles is not intended to be used as a long-term auditing tool. The Active Roles Management History database is not an archive of changes made. It is the operational database for the product. It's primary use is not as a report or audit - it's where the changes are actually being made. This means that the size and complexity of the Management History database directly impact the performance of the product. You should look at archiving the events using either the built-in Event Viewer logs archival options or a real audit tool like Change Auditor or Spunk.https://www.oneidentity.com/community/active-roles/f/forum/39785/how-to-save-change-log-history-for-many-years/92563Thu, 23 Apr 2026 10:05:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:d1f580c3-3899-4cbb-a6ba-c7281ee9b9bbJohnnyQuestChange History is a great short term operational and to a degree, security tool but I don't recommend using it as a long term archive for events. Rather, save the Administration Service's Windows Event log. That way you can more efficiently use third party tools to mine the data. As for the data you have, I would look to backup (i.e. make an offline copy of) the existing management history database and then perhaps engage someone (Quest/One Identity PS or Partner consultant) to help you to purge the events you don't need.https://www.oneidentity.com/community/active-roles/f/forum/39785/how-to-save-change-log-history-for-many-yearsThu, 23 Apr 2026 06:09:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:1e468c36-4e89-4cae-84a8-092fc80ef8a1aalbrechmGood morning to all, i do have a AR Server 8.1.3 running for around 1k people. As it is configured in default the change history is usable for 30 days. I am struggling to activate the History DB (replication). The requirement we have is that all changes (especially group membership changes) will be tracked and saved for around 10 years. We do have 1 AR Server with Sync and one SQL Server for the data. Can you tell me if and how we can achieve this goal? Regards, MichaelActiveRoles ServerChangeHistoryhttps://www.oneidentity.com/community/active-roles/f/forum/39758/how-do-i-make-a-policy-that-disables-all-workflows-in-a-container/92527Tue, 14 Apr 2026 15:29:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:9caa10cd-08a9-4ca7-aed4-07f008919981matt phippsStill no luck, I'm afraid. Is the onPostMove the wrong function to be using here? Here is the debug log from my latest test, The script is seeing that the workflow is being put into the container but it doesn't seem to even attempt to disable it. www.w3.org/.../XMLSchema" xmlns:xsi=" ">www.w3.org/.../XMLSchema-instance" dn="CN=Account Activation 10 April 2026,CN=WIP,CN=Workflow,CN=Policies,CN=Configuration" newContainerDN="CN=Archive,CN=Workflow,CN=Policies,CN=Configuration" xmlns="urn:schemas-quest-com:ActiveRolesServer"> Check Call: Set-PSDebug -trace 2 DEBUG: 1+ >>>> s7863721d-1e54-4b60-b8b8-0aed900c52b1 'onPostMove' $Request DEBUG: ! CALL function 'https://www.oneidentity.com/community/active-roles/f/forum/39758/how-do-i-make-a-policy-that-disables-all-workflows-in-a-container/92520Mon, 13 Apr 2026 23:23:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:24d732b5-7aac-47b6-b8e5-5a8d7a7ced0dJohnnyQuestOne slight change I would suggest to this: Get-QADObject -Proxy -SearchRoot 'CN=Archive,CN=Workflow,CN=Policies,CN=Configuration' ` -Type 'edsWorkflowDefinition' | foreach { Set-QADObject -identity $_.DN -Proxy -ObjectAttributes @{edsaWorkflowIsDisabled="TRUE"} }https://www.oneidentity.com/community/active-roles/f/forum/32206/detect-changes-that-occur-in-active-directory-not-ar-and-trigger-an-action/92515Mon, 13 Apr 2026 17:49:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:5c74695b-e0ec-4650-a0e9-dc7116f16d71Richard LambertI had an onPostModify script output the attributes it is seeing from DirSync upon a password reset/change made outside of Active Roles (same attributes are logged in each case), so as Terrance indicated, pwdlastset could be a good candidate to queue off of. dBCSPwd unicodePwd ntPwdHistory pwdLastSet supplementalCredentials lmPwdHistoryhttps://www.oneidentity.com/community/active-roles/f/forum/32206/detect-changes-that-occur-in-active-directory-not-ar-and-trigger-an-action/92514Mon, 13 Apr 2026 17:19:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:f6a56113-36fb-416d-b1ba-e8b596c887a0Terrance.Crombie"userPassword" is not a real attribute. Try changing the trigger to check for when "pwdlastset" is updated. This attribute is typically only updated by a password change.https://www.oneidentity.com/community/active-roles/f/forum/32206/detect-changes-that-occur-in-active-directory-not-ar-and-trigger-an-action/92513Mon, 13 Apr 2026 16:23:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:46d2b789-5a23-4ec3-a7bc-d4e531999055enda walshHello I'm trying to configure a password change in AD to trigger a modification of a virtual attribute in ARS using Dir Sync control via policy object script. The script is below however when I change the password in native AD I don't see any modification. Is there something wrong with the script? function IsAttributeModified ([string]$AttributeName, $Request) { $objEntry = $Request.GetPropertyItem($AttributeName, $Constants.ADSTYPE_CASE_IGNORE_STRING) if ($objEntry -eq $null) { return $false } if ($objEntry.ControlCode -eq 0) { return $false } return $true } #-- IsAttributeModified function onPostModify($Request) { if($Request.class -ne 'user'){return} if(IsAttributeModified 'userPassword' $Request) { Set-QADObject -proxy $Request.DN -ObjectAttributes @{'edsvaAmundiInviteMailboxCreation'=$TRUE} } }https://www.oneidentity.com/community/active-roles/f/forum/39758/how-do-i-make-a-policy-that-disables-all-workflows-in-a-container/92512Mon, 13 Apr 2026 14:22:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:76e05fff-35d3-4b67-8e18-eb33ca8f6169matt phippsThanks, Richard. That helped. I was trying to run it in ISE to test and I had to add the -Proxy switch. The script runs error free, but isn't actually doing anything. I have a workflow sitting in my archive folder that isn't getting disabled by the script. This is what I am testing in ISE: Import-Module ActiveRolesManagementShell Get-QADObject -Proxy -SearchRoot 'CN=Archive,CN=Workflow,CN=Policies,CN=Configuration' ` -Type 'edsWorkflowDefinition' | Set-QADObject -Proxy -ObjectAttributes @{edsaWorkflowIsDisabled="TRUE"}https://www.oneidentity.com/community/active-roles/f/forum/39758/how-do-i-make-a-policy-that-disables-all-workflows-in-a-container/92506Fri, 10 Apr 2026 20:58:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:87c4480d-6669-4935-9ae3-23bd288bf57cRichard LambertHello, I was able to get your script to work properly by placing the word TRUE inside of quotes. Give this a try and see if this works for you as well. Thanks. Set-QADObject -ObjectAttributes @{edsaWorkflowIsDisabled="TRUE"}https://www.oneidentity.com/community/active-roles/f/forum/39758/how-do-i-make-a-policy-that-disables-all-workflows-in-a-containerFri, 10 Apr 2026 19:08:00 GMT5f2f4fa7-ebc7-4803-900c-42d427844a5e:2827ecd7-bb19-4627-8ced-c90271a36318matt phippsHello. I am experimenting with a form of versioning for workflows. I have made a container called Archive under Configuration->Polices-Workflow. The point of this container is to store copies of workflows right before a change is done to them. As a safety feature, I am trying to figure out a policy that will automatically disable the workflow copies as they are moved to the archive folder. I created a policy object and I am enforcing the policy object on the archive container. Inside the policy object I have a script policy. This is the script that I am running: function onPostMove($Request) { # Get all workflow objects in the target container and disable them Get-QADObject -SearchRoot 'CN=Archive,CN=Workflow,CN=Policies,CN=Configuration' ` -Type 'edsWorkflowDefinition' | Set-QADObject -ObjectAttributes @{edsaWorkflowIsDisabled=TRUE} } The script is not disabling workflows when I put them in the archive container. I turned on debug logging for the script and I'm not seeing any obvious errors. Can someone please help me figure out why the archived workflows aren't getting disabled? Thanks!