Introduction
After you've added a target system, you will need to make some configuration changes. These changes affect how data from HelloID is written to the target system. This article will cover common configuration and management options that are found in multiple types of target systems.
For information about a specific target system, see the other articles in this section, including:
- On-premises Microsoft Active Directory target system
- Microsoft Azure Active Directory target system
- Custom PowerShell target system
- Microsoft Graph API target system with PowerShell (advanced Azure AD)
Manage a target system
On the Target Systems Overview, find the target system that you wish to configure and select its wrench icon. This will take you to the configuration screen for that system.
The configuration screen is split up into several tabs, as shown below. You can make changes in any of the tabs to affect how HelloID interacts with the target system.
Common target system tabs
General
This tab allows you to update the name and description of the target system, or enable/disable it.
Some target systems will also show connection details under this tab, such as the Microsoft Active Directory target system connector.
The on-premises Active Directory target system and PowerShell target system have an Agent configuration option on this tab. See Agent configuration for on-premises systems.
Enable/disable a target system
Use the Disable System toggle to disable the target system.
When a target system is disabled:
- No new entitlement actions will be started during enforcement
- Resources will not be executed during enforcement
- Manual entitlement actions (e.g., retries, force update accounts, force update permissions) cannot be started
- Blocked entitlement actions cannot be approved
- The system is not included in evaluations
- Its tile is grayed out:
Entitlements for the system in business rules can still be managed, and the target system's most recent state is retained until it is enabled again.
This is particularly useful if you have target systems configured as test or debug environments. You can keep them configured, but disable them so they aren't included in evaluation and enforcement.
Entitlements
Within the Entitlements tab, you can see a list of all business rules that contain entitlements for this target system. The icons to the right of the rule name indicate which entitlement types the rule contains: account, account access, or permissions (including group memberships). Edit a rule by selecting its wrench icon.
Thresholds
The Thresholds tab lets you automatically block entitlement grants, updates, or revokes, when the number of modified entitlements exceeds a specified value. When an enforcement occurs for a target system, the pending activity is compared to the last enforcement for the same target system. If the amount of activity exceeds the threshold, the enforcement is blocked until manually approved. In this way, thresholds are safety nets. They reduce the likelihood of a major mistake in the provisioning process if an enforcement contains bad data or no data.
You can set Grant and Revoke thresholds for each entitlement type supported by your current target system. Depending on the system type, this will include some or all of: Account, Account Access, and Permission.
Note that Permission thresholds encompass both permissions (custom PowerShell entitlements) as well as group membership entitlements.
Additionally, you can set Update thresholds for the Account and Permission entitlement types. (Account Access entitlements don't have an update stage and therefore don't have a corresponding threshold setting.)
Thresholds can be specified in absolute/count or relative/percentage terms and are triggered on an equal-to-or-greater-than basis. If you set both absolute and relative thresholds, they are evaluated with OR logic.
When a threshold is triggered during an enforcement, warnings are shown on the Business Rules > Entitlements screen. See Blocked entitlement actions.
Note that thresholds are triggered before any entitlements are written to a target system. For example, if an addition threshold is set to 10 entitlements and the import adds 100 entitlements, zero entitlements will be written to the target system (rather than 10 entitlements being added and the remaining 90 being blocked).
Audit Logs
Within this tab, you can view and search all activity that HelloID has taken within the target system.
Export a report
Select the Export button to download a CSV report.
Force Update Accounts
If you make changes within a target system's configuration (e.g., to attribute mappings), the Force Update Account(s) feature immediately writes them into the target system. In the case of a modified attribute mapping or similar settings change, no Person data has been modified, and thus the changes won't be written during an enforcement. This feature provides the workaround.
To confirm, select the Force update button. HelloID will begin updating accounts within the target system. Updates are only made to target accounts which HelloID has granted. Any accounts not granted by HelloID (e.g., manually created accounts, service accounts, etc.) will not be touched.
To view in-progress actions, View running & pending entitlement actions. To subsequently view completed actions, View entitlement action history.
This feature does not update permissions in PowerShell target systems. To do that, see Force Update Permissions.
Force update an individual account
See Force update account.
Delete a target system
If you no longer need or want a target system in HelloID, you may remove it. On the Target Systems Overview, find the system that you want to delete and click its trashcan button.
You will be asked to confirm the deletion of the target system. If you are sure, click Delete to confirm the removal. Note that removing a target system will also remove its entitlements from any configured business rules. Any entitlements that have already been granted will become unmanaged.