Error: "No groups were found that match the requested access." when approving resource access request (4297083)

The system automatically calculates the "best fit" groups and assigns the resource to a group that matches the access requested. When the business owner logs on to the web portal, the "best fit" group is displayed for the self-service access request on the Pending Requests page. The business owner can approve the suggested group or manually specify a different group that meets the criteria of the request by clicking the Select a group button. If no groups are available or no groups are found that match the access request, a compliance violation results and the request cannot be approved.

When no groups are listed for the selected group, means that Data Governance Edition could not find any groups that match the level of access requested. That is, no groups met the criteria used to calculate the "best fit" group.

• For NTFS group membership calculations, the system takes the following into consideration: origin domain, distance from the resource, group type, whether the group is published to the IT Shop, access rights, access inheritance, domain local group membership, and group membership rules.
• For SharePoint group access calculations, the system takes the following into consideration: group membership, self-service access, Active Directory groups, SharePoint groups and WebApp policy.

If you are requesting access to a Share, use the Object Browser to check the UseFolderForITShop property in the QAMDuG table. If this flag is set to True, the backing folder security (Folder Permissions) is being used (not the Share permissions). Verify that there are groups that meet the requested access defined for folder security. See Wrong group is displayed for self-service share access request (KB #176265) for more information on reviewing a governed share's properties in the QAMDuG table.

Review the criteria used for calculating a "best fit" group and create a group that satisfies the access requested. For example, consider the following when creating a group:

• Access rights: Create a group that contains the exact access rights requested. For example, if an employee requests read access, but all available groups allow more rights (for example, write or full access), no groups will be found. Creating a group that is limited to read access would satisfy the access requested.

NOTE: Review the Advanced options for the group to ensure that only the default permissions are set; setting different advanced permissions may also affect the "best fit" group calculations.

• Group type: Create a global group and a domain local group; nesting the global group within the domain local group. The domain local group is ACL'd on the resource, but the global group should be suggested as the correct group. 

NOTE: Data Governance Edition follows Microsoft best practices when ranking groups, where global groups are ranked higher than domain local groups.

The "best fit" group is determined using a series of calculators that return a value in the range of -2 to +2. Review the Data Governance Service log.txt file to see the groups that were evaluated and the results of these calculations. The calculators cannot be change; however, you can modify the positive and negative multipliers in the Dell.DataGovernanceEdition.Service.exe.config file if necessary. 

NOTE: In Data Governance Edition version 6.1.x, the configuration file is named Quest.Titan.Server.Service.exe.config. For versions 7.0 and 6.1.x, this configuration file is located in the Data Governance Server directory.

For more information on processing requests, how Data Governance Edition calculates the "best fit" groups for resource access, and how to modify the calculator multipliers, see the Access calculations appendix in the One Identity Manager Data Governance Edition User Guide.