Managed resource types
A managed resource type contains various default settings for a type, which is a logical distinction that can be used to refine the concept of a "file share" into different business specific groupings.
By default, a single managed resource type, Simple Share, is provided with Data Governance Edition. The settings for the Simple Share managed resource type can be found in the QAMManagedResourceType table in One Identity Manager. Take note of the following settings:
-
Default server selection script: This setting specifies the default server selection script to be used to determine an eligible server to create the new file share on. Default value: QAM-492C2929FD77ED478EA6BA3EB40774C2
Note: If this parameter is not specified, no script is run and during the approval process, the Data Governance Administrator must manually select a target managed host.
-
Full control add to group: This setting points to the managed group template being used to create the Active Directory group where the full control group is to be added to provide administrative access to a new share when it is created. Default value: G-[costcenter]-[random]-FC
Note: If this parameter is not specified, the specified full control group is not added to the Active Directory group that provides administrative control for the new file share when it is created.
-
Recipient add to group: This setting points to the managed group template being used to create the Active Directory group where the recipient will be added to provide access to a new share when it is created. Default value: G-[costcenter]-[random]-RW
Note: If this parameter is not specified, the recipient will not be added to the group when it is created and will be denied access to the newly created file share. The recipient can use the IT Shop to request access to the new file share, which will also set this value.
Note: If you are using the Simple Share managed resource type and need to modify the default settings, use the Object Browser (QAMManagedResourceType) or Windows PowerShell (Set-QManagedResourceType).
The "Simple Share" managed resource type is used in a pre-generation step in the current process chain. Therefore, it is recommended that you do not rename or remove this managed resource type. If you change the name of this managed resource type, you need to modify the process chain, either removing or modifying this pre-generation check step as appropriate.
Note: If you are adding a new managed resource type, you must implement your own IT Shop product and process chain. The current configuration and process chain are intended for creating new file shares.
Type group permissions objects
Once you have built your group hierarchies (managed group templates) and defined your managed resource types (Simple Share in default configuration), you must link the required permissions object to define the root level group for creating a managed resource.
By default, Data Governance Edition has defined the following group permission objects, which are available in the QAMTypeGroupPermissions table in One Identity Manager:
- L-[costcenter]-[random]-FC - Simple Share
- L-[costcenter]-[random]-R - Simple Share
- L-[costcenter]-[random]-RW - Simple Share
Group naming patterns
Since organizations have different rules for naming groups, Data Governance Edition allows you to add literal values and variables to the group naming pattern to dynamically construct a new Active Directory group name. Upon creation of the actual group, any variable specified in the pattern is then replaced with actual values to create a unique group name. The default group naming patterns are specified in the Managed group templates used to define the Active Directory groups to be created to fulfill self-service share creation requests. In addition, as part of the approval process, the Data Governance Administrator can edit the group naming pattern for the Active Directory groups to be created.
The default group name patterns provided with Data Governance Edition are:
- Domain Local group (Full Control): L-[costcenter]-[random]-FC
- Global group (Full Control): G-[costcenter]-[random]-FC
- Domain Local group (Read): L-[costcenter]-[random]-R
- Global group (Read): G-[costcenter]-[random]-R
- Domain Local group (Read/Write): L-[costcenter]-[random]-RW
- Global group (Read/Write): G-[costcenter]-[random]-RW
The following variables have been defined allowing you to define a group naming pattern to dynamically construct a new Active Directory group name.
Table 2: Group name pattern variables
[costcenter] |
Sample name pattern resolver that retrieves the short name of the cost center associated with the person who made the request.
If the requestor does not have a cost center assigned, this variable resolves to a blank. |
[dept] |
Sample name pattern resolver that retrieves the short name of the department associated with the person who made the request.
If the requestor does not have a department assigned, this variable resolves to a blank. |
[random] |
Sample name pattern resolver that generates a random number, between 1 and 999999. |
[ShareName] |
A variable that retrieves the name assigned to the file share. |
Note: To add additional group name pattern resolvers, use the Object Browser (QAMNamePatternResolver) or Windows PowerShell (Add-QNamePatternResolver). For more information, see Name pattern resolvers.. For more information on adding and testing scripts, see the One Identity Manager Configuration Guide.
To add a variable to a group naming pattern during the approval process:
- On the Permissions page of the New File Share dialog, click Edit to the right of the group name to be changed.
-
In the Group Name dialog, use the Group name pattern field to construct your naming pattern, which can consist of literal values and variables.
Note: Variables are enclosed in square brackets [ ] in the Group name pattern field. If you enter a variable that does not exist as a name pattern resolver, it will show as a literal in your group name.
-
To add a variable, place your cursor within the naming pattern where the variable is to be inserted and enter the variable enclosed in square brackets (for example, [dept]).
Note: Clicking a variable in the Macro list appends the selected variable to the end of the group naming pattern, regardless of where your cursor is located in the string.
- Once you have constructed the naming pattern, click the Resolve button to view the unique Active Directory group name created.
-
Click OK to save your selection and close the dialog.
Both the group naming pattern and the resolved group name appear on the Permissions page of the New File Share dialog.
Name pattern resolvers
Data Governance Edition allows you to define your own name pattern resolver scripts, which define the variables that can be added to a group naming pattern. These variables can then be used when building or modifying managed group templates. In addition, during the approval process, available variables are listed on the Group Name dialog when editing the group naming pattern to dynamically construct unique Active Directory group names for the new managed resource.
By default, the following sample name pattern resolver scripts are provided with Data Governance Edition and are available in the QAMNamePatternResolver table: