Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.1 - IT Shop Resource Access Requests User Guide

Introduction Resource access requests Share creation requests Appendix: PowerShell commands

Group naming patterns

Since organizations have different rules for naming groups, Data Governance Edition allows you to add literal values and variables to the group naming pattern to dynamically construct a new Active Directory group name. Upon creation of the actual group, any variable specified in the pattern is then replaced with actual values to create a unique group name. The default group naming patterns are specified in the Managed group templates used to define the Active Directory groups to be created to fulfill self-service share creation requests. In addition, as part of the approval process, the Data Governance Administrator can edit the group naming pattern for the Active Directory groups to be created.

The default group name patterns provided with Data Governance Edition are:

  • Domain Local group (Full Control): L-[costcenter]-[random]-FC
  • Global group (Full Control): G-[costcenter]-[random]-FC
  • Domain Local group (Read): L-[costcenter]-[random]-R
  • Global group (Read): G-[costcenter]-[random]-R
  • Domain Local group (Read/Write): L-[costcenter]-[random]-RW
  • Global group (Read/Write): G-[costcenter]-[random]-RW

The following variables have been defined allowing you to define a group naming pattern to dynamically construct a new Active Directory group name.

Table 2: Group name pattern variables
Variable Description
[costcenter]

Sample name pattern resolver that retrieves the short name of the cost center associated with the person who made the request.

 NOTE: If the requestor does not have a cost center assigned, this variable resolves to a blank.
[dept]

Sample name pattern resolver that retrieves the short name of the department associated with the person who made the request.

 NOTE: If the requestor does not have a department assigned, this variable resolves to a blank.
[random] Sample name pattern resolver that generates a random number, between 1 and 999999.
[ShareName] A variable that retrieves the name assigned to the file share.

Note: To add additional group name pattern resolvers, use the Object Browser (QAMNamePatternResolver) or Windows PowerShell (Add-QNamePatternResolver). For more information, see Name pattern resolvers.. For more information on adding and testing scripts, see the One Identity Manager Configuration Guide.

To add a variable to a group naming pattern during the approval process:

  1. On the Permissions page of the New File Share dialog, click Edit to the right of the group name to be changed.

  2. In the Group Name dialog, use the Group name pattern field to construct your naming pattern, which can consist of literal values and variables.

    Note: Variables are enclosed in square brackets [ ] in the Group name pattern field. If you enter a variable that does not exist as a name pattern resolver, it will show as a literal in your group name.

  3. To add a variable, place your cursor within the naming pattern where the variable is to be inserted and enter the variable enclosed in square brackets (for example, [dept]).

    Note: Clicking a variable in the Macro list appends the selected variable to the end of the group naming pattern, regardless of where your cursor is located in the string.

  4. Once you have constructed the naming pattern, click the Resolve button to view the unique Active Directory group name created.

  5. Click OK to save your selection and close the dialog.

    Both the group naming pattern and the resolved group name appear on the Permissions page of the New File Share dialog.

Name pattern resolvers

Data Governance Edition allows you to define your own name pattern resolver scripts, which define the variables that can be added to a group naming pattern. These variables can then be used when building or modifying managed group templates. In addition, during the approval process, available variables are listed on the Group Name dialog when editing the group naming pattern to dynamically construct unique Active Directory group names for the new managed resource.

By default, the following sample name pattern resolver scripts are provided with Data Governance Edition and are available in the QAMNamePatternResolver table:

  • costcenter
  • dept
  • random

Adding name pattern resolvers

Before you begin

  • Use the Designer to write and compile the name pattern resolver script and commit it to the One Identity Manager database.

    Note: Name pattern resolver scripts must have a particular signature or they will fail at run time. These scripts are functions that take one parameter, the UID of the PersonWantsOrg record for this request, as a string and returns a string. For example:

    Public Function Foo(ByVal UID_PersonWantsOrg As String) As String

    The string value returns as UID_QAMNode.

To add a name pattern resolver (Object Browser)

  1. Open the Object Browser.
  2. In the Navigation view, locate and select QAMNamePatternResolver.
  3. In the Name Pattern Resolver result list pane, click the Insert toolbar button or right-click command.

  4. In the new Name Pattern Resolver page, specify the following:

    • UID_DialogScript: Use the drop-down menu to select from a list of previously defined scripts.

    • NamePatternVariable: Enter the name of the variable associated with this script that can be used in the group naming pattern.

    Note: UID_QAMNamePatternResolver: This value is automatically generated by One Identity Manager.

  5. Click the Save toolbar button to save your selections.

    The new name pattern resolver appears in the Name Pattern Resolver result list pane.

To add a name pattern resolver (PowerShell)

  1. If necessary, run the following cmdlet to import the QAM.Client.PowerShell.dll assembly:

    Import-Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

  2. Run the following cmdlet to add a new server selection script:

    Add-QNamePatternResolver -DialogScriptID <String> -NamePatternVariable <String>

    • DialogScriptID: Enter the ID (GUID format) assigned to the name pattern resolver script when it was created.
    • NamePatternVariable: Enter the name of the variable associated with this script that can be used in the group naming pattern.

For more information, see Name pattern resolver management.

Server selection scripts

Defining where new resources get created can be very complicated and specific to your organization. The Data Governance server allows you to select a managed host or use a server selection script to select the QAMNode to host a new file system share. Creating customized server selection scripts allows you to define the server selection process to be used for selecting the appropriate QAMNode. Available server selection scripts appear on the Server Selection Scripts dialog when the Data Governance Administrator selects to assign a file share host using the script option on the File Share page of the New File Share dialog.

By default, Data Governance Edition provides the following server selection script, which is available in the QAMServerSelectionScript table in One Identity Manager:

  • QAM_RandomNode: Randomly selects a managed host from those that have been specified as target machines (that is, managed hosts that have the IsManagedResourceHost flag set to True).
Verwandte Dokumente