Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.1 - IT Shop Resource Access Requests User Guide

Introduction Resource access requests Share creation requests Appendix: PowerShell commands

Managed resource types

A managed resource type contains various default settings for a type, which is a logical distinction that can be used to refine the concept of a "file share" into different business specific groupings.

By default, a single managed resource type, Simple Share, is provided with Data Governance Edition. The settings for the Simple Share managed resource type can be found in the QAMManagedResourceType table in One Identity Manager. Take note of the following settings:

  • Default server selection script: This setting specifies the default server selection script to be used to determine an eligible server to create the new file share on. Default value: QAM-492C2929FD77ED478EA6BA3EB40774C2

    Note: If this parameter is not specified, no script is run and during the approval process, the Data Governance Administrator must manually select a target managed host.

  • Full control add to group: This setting points to the managed group template being used to create the Active Directory group where the full control group is to be added to provide administrative access to a new share when it is created. Default value: G-[costcenter]-[random]-FC

    Note: If this parameter is not specified, the specified full control group is not added to the Active Directory group that provides administrative control for the new file share when it is created.

  • Recipient add to group: This setting points to the managed group template being used to create the Active Directory group where the recipient will be added to provide access to a new share when it is created. Default value: G-[costcenter]-[random]-RW

    Note: If this parameter is not specified, the recipient will not be added to the group when it is created and will be denied access to the newly created file share. The recipient can use the IT Shop to request access to the new file share, which will also set this value.

Note: If you are using the Simple Share managed resource type and need to modify the default settings, use the Object Browser (QAMManagedResourceType) or Windows PowerShell (Set-QManagedResourceType).

The "Simple Share" managed resource type is used in a pre-generation step in the current process chain. Therefore, it is recommended that you do not rename or remove this managed resource type. If you change the name of this managed resource type, you need to modify the process chain, either removing or modifying this pre-generation check step as appropriate.

Note: If you are adding a new managed resource type, you must implement your own IT Shop product and process chain. The current configuration and process chain are intended for creating new file shares.

Adding a resource type

Before you begin:

To add a resource type (Object Browser)

  1. Open the Object Browser.
  2. In the Navigation view, locate and select QAMManagedResourceType.
  3. In the Managed Resource Type result list pane, click the Insert toolbar button or right-click command.
  4. In the new Managed Resource Type page, specify the following:

    • UID_ContainerAERole: (Optional) Specify the name of the parent container where newly created roles are to be stored when the business owner type is set to role-based (value of 0). If this parameter is not specified, no parent container is created. When no parent container is specified, all roles created are placed under the "Data Governance" role.

      NOTE: The default configuration has a parent role called "Managed Resources" set as the default.
    • UID_DefaultSelctionScript: Use the drop-down menu to select the default server selection script to be used to determine an eligible server to create the share on.
    • UID_FullCtrAddToGroup: Use the drop-down menu to select the managed group template being used to create the Active Directory group where the full control group will be added to provide administrative control over new shares that are created.
    • UID_RecipientAddToGroup: Use the drop-down menu to select the managed group template being used to create the Active Directory group where the recipient will be added to provide access to a new share when it is created.
    • BusinessOwnerType: By default, the business ownership for a managed resource is set to Role. Use the drop-down menu to change this to Person if necessary.

      NOTE: If you used the managed resource functionality to create simple shares in Data Governance Edition version 7.0.1, the default is set to Person.

      The Role default setting is only used for new Data Governance Edition version 7.0.2 (or higher) installations and for upgraded installations if the managed resource functionality was never used.

    • Description: (Optional) Enter a description for the managed resource type.
    • Name: Enter the name to be assigned to the managed resource type.
    • PublishToITShop: Indicate whether the managed resource should be added to the IT Shop after it is created.
    • SetRestrictionList: This is set to False by default indicating no restriction list is associated with managed resources of this type when they are created. Use the drop-down menu to change this to True if you want to set a restriction list for managed resources of this type when they are created. For more information on the default restriction list or on implementing a custom restriction list, see Restricting access to managed resources.

    Note: UID_QAMManagedResourceType: This value is automatically generated by One Identity Manager.

  5. Click the Save toolbar button to save your selections.

    The newly created managed resource type appears in the Managed Resource Types result list pane.

To add a managed resource type (PowerShell)

  1. If necessary, run the following cmdlet to import the QAM.Client.PowerShell.dll assembly:

    Import-Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

  2. Run the following cmdlet to add a new managed resource type:

    Add-QManagedResourceType -Name <String> [-Description [<String>]] [-FullControlAddToGroupID [<String>]] [-RecipientAddToGroupID [<String>]] [-PublishToITShop] [<Boolean>]] [-SetRestrictionList [<Boolean>]] [-ServerSelectionScriptID [<String>]] [-ContainerAERole [<String>]] [-BusinessOwnerType <Int32>]]

    • Name: Enter the name to be assigned to the managed resource type.
    • Description: (Optional) Enter a description for the managed resource type.
    • FullControlAddToGroupID: Specify the ID (GUID format) for the managed group template used to create the full control group.
    • RecipientAddToGroupID: Specify the ID (GUID format) for the managed group template used to create the group where the recipient is to be added to.
    • PublishToITShop: Specify this parameter if you want the managed resource published to the IT Shop after it is created.
    • SetRestrictionList: This is set to false by default indicating no restriction list is associated with this type of managed resource. Specify this parameter with a value of $true to set a restriction list for this type of managed resource after a resource is created. For more information on the default restriction list or on implementing a custom restriction list, see Restricting access to managed resources.
    • ServerSelectionScriptID: Specify the ID of the server selection script to be used to determine an eligible server to create the share on.
    • ContainerAERole: (Optional) Specify the name of the parent container where newly created roles are to be stored when the business owner type is set to role-based (value of 0). If this parameter is not provided, no parent container is created. When no parent container is specified, all roles created are placed under the "Data Governance" role.

      NOTE: The default configuration has a parent role called "Managed Resources" set as the default.
    • BusinessOwnerType: By default, this is set to role-based ownership (value of 0). Specify this parameter with a value of 1 to change the business ownership to person-based.

      NOTE: If you used the managed resource functionality to create simple shares in Data Governance Edition version 7.0.1, the default is set to Person.

      The Role default setting is only used for new Data Governance Edition version 7.0.2 (or higher) installations and for upgraded installations if the managed resource functionality was never used.

For more information, see Managed resource type management.

Next steps:

Type group permissions objects

Once you have built your group hierarchies (managed group templates) and defined your managed resource types (Simple Share in default configuration), you must link the required permissions object to define the root level group for creating a managed resource.

By default, Data Governance Edition has defined the following group permission objects, which are available in the QAMTypeGroupPermissions table in One Identity Manager:

  • L-[costcenter]-[random]-FC - Simple Share
  • L-[costcenter]-[random]-R - Simple Share
  • L-[costcenter]-[random]-RW - Simple Share

Adding a type group permissions object

Before you begin:

To add a type group permissions object (Object Browser)

  1. Open the Object Browser.
  2. In the Navigation view, locate and select QAMTypeGroupPermissions.
  3. In the Type Group Permissions result list pane, click the Insert toolbar button or right-click command.
  4. In the new Type Group Permissions page, specify the following:

    • UID_QAMManagedGroupTemplate: Use the drop-down menu to select the managed group template to be used to create the root level group for a managed resource.

    • UID_QAMManagedResourceType: Use the drop-down menu to select the managed resource type to be associated with this object.
    • Permission: Use the drop-down menu to select the type of permission: Read, Read Write, or Full Control.
  5. Click the Save toolbar button to save your selections.

    The new type group permissions object appears in the Type Group Permissions result list pane.

To add a type group permissions object (PowerShell)

  1. If necessary, import the QAM.Client.PowerShell.dll assembly:

    Import-Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

  2. Run the following cmdlet to add a new type permissions object:

    Add-QTypeGroupPermissions -ManagedResourceTypeID <String> -ManagedGroupTemplateID <String> [-Permissions] [<Int32>]]

    • ManagedResourceTypeID: Enter the ID of the managed resource type this object is to be associated with.
    • ManagedGroupTemplateID: Enter the ID of the managed group template to be used to create the root level group for a managed resource.
    • Permissions: Specify the type of permission to be assigned:
      • 0: Read (Default)
      • 1: Read Write
      • 2: Full Control

For more information, see Type group permissions object management.

Verwandte Dokumente