There are various ways of restricting who can see (and consequentially request access to) governed data that has been published to the IT Shop. These include:
- Defining a restriction list based on organizational structure (department, location or cost center).
- Explicitly marking groups for exclusion.
- If the Business Roles module is purchased and installed, defining a restriction list based on business roles.
Note: Ask your Data Governance Administrator to set up a restriction list or mark groups to restrict access to your governed data.
By defining a restriction list, only those employees who are in the specified departments, cost centers or geographical locations are able to see (and request access to) a governed resource.
Note: Organizational inheritance is not supported. Each required level of an organizational structure must be added to the restriction list.
To restrict access to a resource in the IT Shop (Data Governance Administrator)
-
In the Manager, open the Governed data view.
- From the Data Governance navigation view, select Governed data.
- From the Managed hosts view, navigate to the required managed host, select Governed data from the Tasks view or right-click menu.
- Select the required resource and select Change governed resource master data in the Tasks view or right-click menu.
-
Select Assign organizations in the Tasks view or right-click menu.
The Organizations assignment page appears, which consists of three tabbed pages (Departments, Locations, and Cost centers) allowing you to select from a list of previously defined organizational assignments.
- Use the different tabs to define who can see (and request access to) the selected resource. In the lower pane of the tabbed pages, double-click the departments, locations or cost centers to be assigned to the resource. The employees not assigned through the assignment page are restricted from seeing or accessing the resource through the IT Shop.
- When finished with the assignments, click the Save toolbar button.
To restrict access to an owned resource in the IT Shop (Only for Business Owners who also have Data Governance Administrator role)
Note: Business owners who have both the Data Governance | Administrators and Data Governance | Direct Owners application roles assigned, can use the web portal to define who can see and access owned resources.
- Log on to the One Identity Manager web portal.
- From the menu bar, select Responsibilities | My Responsibilities.
- On the My Responsibilities view, select the Governed Data tile.
- On the Governed data view, select a governed resource.
- Click the Master data tab.
-
At the bottom of the properties page, click the Assign button to the right of Departments, Locations, or Cost centers.
Note: You can also restrict access based on Business Roles or One Identity Manager application roles.
-
In the Assign dialog, use the left pane to select the organizational assignment to be assigned to the selected resource.
Once selected, the assignment appears in the Assigned pane (right pane) and the icon to the left of the assignment changes to a check mark. To remove an assignment, select the assignment in the Assigned pane. The icon to the left of the assignment changes back to an X and is removed from the Assigned pane.
Click OK to save your selections and close the Assign dialog.
- When finished with the assignments, click the Save button.
You may want to mark certain groups as being ineligible for self-service requests, especially when Data Governance Edition is configured to allow for non-published groups to be presented. In this case, it is possible to mark either specific groups, or all groups within a particular Active Directory container as being ineligible for access requests.
To explicitly exclude groups
Note: Modifying the registry can cause serious issues. Ensure that when making these changes, only the described keys are modified.
-
On the Data Governance server, navigate to the following registry key using regedit.exe:
HKEY_LOCAL_MACHINE\Software\One Identity\Broadway\Server\DeploymentData\SelfService\ExclusionByDN
Note: The "DeploymentData" and "SelfService" subkeys may not exist. If these keys are not present, they should be created.
- Beneath the ExclusionByDN key, create string values whose names match the distinguished name of the groups that are to be excluded.
To exclude an entire container of groups, specify the distinguished name of the container, with an asterisk ("*") prefix. For example to exclude all groups in the Users container of example.com, use the following syntax: "*CN=Users,DC=example,DC=com".
The Business Role module is an optional module that can be purchased with One Identity Manager. If this module is installed (selected on the Module selection page of the Setup wizard), you can restrict employees from seeing (and consequentially requesting access to) governed data that has been published to the IT Shop based on their business role assignments.
By defining a business role restriction list, only those employees who are assigned the selected business roles are able to see and request access to a governed resource.
To restrict access to a resource in the IT Shop (Data Governance Administrator)
-
In the Manager, open the Governed data view.
- From the Data Governance navigation view, select Governed data.
- From the Managed hosts view, navigate to the required managed host, select Governed data from the Tasks view or right-click menu.
- Select the required resource and then select Change governed resource master data in the Tasks view or right-click menu.
-
Select Assign business roles in the Tasks view or right-click menu.
The Business Roles assignment page appears allowing you to select from a list of business roles.
- In the lower pane, double-click the business roles to be assigned to the resource.
- When finished with the assignments, click the Save toolbar button.
To restrict access to an owned resource in the IT Shop (Only for Business Owners who also have Data Governance Administrator role)
Note: Business owners who have both the Data Governance | Administrators and Data Governance | Direct Owners application roles assigned, can use the web portal to define who can see and access owned resources.
- Log on to the One Identity Manager web portal.
- From the menu bar, select Responsibilities | My Responsibilities.
- On the My Responsibilities view, select the Governed Data tile.
- On the Governed data view, select a governed resource.
- Click the Master data tab.
- Click the Assign button to the right of Business Roles.
-
In the Assign dialog, use the left pane to select the business roles to be assigned to the selected resource.
Once selected, the business role appears in the Assigned pane (right pane) and the icon to the left of the business role changes to a check mark. To remove a business role, select the business role from the Assigned pane. The icon to the left of the business role changes back to an X and is removed from the Assigned pane.
Click OK to save your selections and close the Assign dialog.
- When finished with the assignments, click the Save button.