The system automatically calculates the "best fit" groups and assigns the resource to a group that matches the access requested. When the business owner logs on to the web portal, the "best fit" group is displayed for the self-service access request on the Pending Requests page. The business owner can approve the suggested group or manually specify a different group that meets the criteria of the request by clicking the Select a group button. If no groups are available or no groups are found that match the access request, a compliance violation results and the request cannot be approved.
When no groups are listed for the selected group, means that Data Governance Edition could not find any groups that match the level of access requested. That is, no groups met the criteria used to calculate the "best fit" group.
If you are requesting access to a Share, use the Object Browser to check the UseFolderForITShop property in the QAMDuG table. If this flag is set to True, the backing folder security (Folder Permissions) is being used (not the Share permissions). Verify that there are groups that meet the requested access defined for folder security. See Wrong group is displayed for self-service share access request (KB #176265) for more information on reviewing a governed share's properties in the QAMDuG table.
Review the criteria used for calculating a "best fit" group and create a group that satisfies the access requested. For example, consider the following when creating a group:
NOTE: Review the Advanced options for the group to ensure that only the default permissions are set; setting different advanced permissions may also affect the "best fit" group calculations.
NOTE: Data Governance Edition follows Microsoft best practices when ranking groups, where global groups are ranked higher than domain local groups.
The "best fit" group is determined using a series of calculators that return a value in the range of -2 to +2. Review the Data Governance Service log.txt file to see the groups that were evaluated and the results of these calculations. The calculators cannot be change; however, you can modify the positive and negative multipliers in the Dell.DataGovernanceEdition.Service.exe.config file if necessary.
NOTE: In Data Governance Edition version 6.1.x, the configuration file is named Quest.Titan.Server.Service.exe.config. For versions 7.0 and 6.1.x, this configuration file is located in the Data Governance Server directory.
For more information on processing requests, how Data Governance Edition calculates the "best fit" groups for resource access, and how to modify the calculator multipliers, see the Access calculations appendix in the One Identity Manager Data Governance Edition User Guide.
© 2020 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz