One Identity Active Roles and Setting up Workflows

Active roles has a powerful workflow and property validation engine. Let's take a look at some of it and what it can do for you. For example, here's a workflow that I've told the system to use each time somebody needs to be added to a sensitive group requiring that that group's owner be approved the actual group add. And you can see here that I've told the system any group that has this particular attribute down here called approval by primary owner set to true runs this workflow. The workflow has an approval. I won't go into that. But it basically tells it that the owner of the group has to approve it. If they do, it will do the actual action of adding them to the group. And let's see what that looks like in the real world. Here, I'm just a regular end user. I'm going to search for a group. Now incidentally, if I were to search for the word group, normally, I see a ton. But because of the active roles security model, I can only see things I'm allowed to see. In this case, I can see this group creatively called Group Requiring Approval. And you can see here I can see some information about it because I've given myself that access. But if I want to add myself to the group, then I can or at least I can try. So I'm going to add myself. And I need to give a reason why. Click OK. And let's get rid of that. In order to make this a little easier, I've set myself up, and I've logged myself in as the manager too. What you'll see here-- it already happened-- is that I got an email saying, hey, this person has requested to join. You can see the group. We can see all that information. I can click on Approve Tasks and that would log me into active roles. But again, to make this faster, I've just gone ahead and already logged in here. Here, I see approval. Since I hadn't refreshed this, it didn't say there are operations. I can go ahead and see again all the information right here, and click Approve. All this is logged. We could go back and look at this stuff later. And everything is done. You can see here that the operation is completed. Were I to go back in here and look at the group, that user would now be inside the group. But that's not the only thing we can do. We also have policies. And policies can do a lot of things. We can run scripts. And we actually can write scripts through workflows as well. We can do all kinds of things in workflows. We won't get into that today. But let's look at an example of what a policy can do. So here's a policy for our office name. It's a common field in Active Directory. Everybody uses it. And we can see what office a particular user's in. Here, I tell it the office location must be specified, meaning they can't save a user object, for example, if there is no office location, especially in my employees OU. And here's what it has to be, and you can see all these values right here. So what this will do is this will actually create a dropdown list. And let's take a look at what that actually looks like. If I go over here to a user and I open up a user, what we're going to see is that instead of this being a free form field like the description field above, it's actually a dropdown list. And you can see here that the dropdown list lets me pick which one of these this user is going to be in. Really simple. Great way to just help organize and keep AD under control and not turn into the management beast that it can easily become. We can do other things with policies too. In fact, if you take a look at the same user, we can see that the phone number field here, the mobile phone number has a little explanation point. And that tells me that it has to be in a special format. And you can see I have it listed right here. In other words, somebody can edit this, the mobile number, but it has to be in the correct form. And you can see this is an example of the correct format right here. Why do I want to do that? Let's say I have click to dial or something like that and I need people to be able to make sure that the phone number's in the correct format, so click to dial works. With an active roles policy, I can actually just use a regular expression to create that or pretty much whatever I want. As you can see, we've just kind of given you the tip of the iceberg of what we can do with workflows and with policies inside active roles. Really, the sky's the limit in terms of what you do. We have customers being incredibly creative with all the different things that they can do and make sure that things get done a certain way or don't get done or get approved or not approved or send out notifications when things happen, whatever they want. And if it's something we don't have built in active roles, you can just add a script into do whatever you need. It's pretty simple and straightforward.