The Knowledge Pack for Active Roles is a link between InTrust on the one hand and Active Roles on the other hand. The Knowledge Pack enables you to use the InTrust workflow to control the operation of Active Roles.
The Knowledge Pack is essentially a collection of InTrust objects such as rules, sites, policies, tasks and reports. These objects are interdependent, and they blend in with other predefined InTrust objects you may have installed.
After you have set up the Knowledge Pack, you can work with the following objects using InTrust:
Using objects included in the Knowledge Pack, you can work with events that Active Roles records to its log. This log provides extended information about security events compared with the Security log.
The Knowledge Pack works with data provided by One Identity Active Roles 7.*.
The Knowledge Pack adds significantly to the value of Active Roles. In an enterprise where both Active Roles and InTrust are deployed, each of these products plays a central part. Active Roles is designed to be the Active Directory administration center for the environment, whereas InTrust is the main facility for auditing and ensuring policy compliance. The Knowledge Pack brings these administrative functions closer together, making administration easier and more direct.
The related topics describe particular benefits that you get by deploying the Knowledge Pack:
Active Roles is meant to be the control center for Active Directory administration. Accordingly, once you have deployed Active Roles, you should pay attention to any administrative activity that circumvents it. The Knowledge Pack enables you to find out whether any administrative actions are performed or attempted with other tools, such as the Active Directory Users and Computers MMC snap-in.
Administrative actions taken outside Active Roles may have different implications. This depends on whether the account that was used is one of the accounts reserved for the Active Roles service.
In a typical environment with Active Roles deployed, Active Directory-native permissions cannot be granted directly. Here, the term permissions includes membership in certain groups whose members have permissions on Active Directory objects. Only Active Roles accounts can delegate these permissions, but they are supposed to do it on behalf of Active Roles administrators by applying administrative templates (or roles) rather than dealing with individual permissions. One way of delegating Active Directory-native permissions on an individual basis is by using the Active Directory Users and Computers MMC snap-in.
In such cases, other accounts do not get direct access to Active Directory administration. If an account is not reserved for use with Active Roles, then administrative actions by that account fail. In such cases, you should investigate to find out who tried to get unauthorized access.
If the account is an Active Roles account, this may mean someone with access to the account performed the administrative action using a tool other than Active Roles. This can be done in an attempt to conceal the action or keep Active Roles from preventing it. Look into the matter to find out whether it is a case of impersonation or privilege abuse.
In some non-typical situations certain special-purpose administrative accounts retain the privileges to perform management outside Active Roles. Actions by these accounts should also be tracked to ensure that administrative measures do not violate the corporate policy.