Since organizations have different rules for naming groups, Data Governance Edition allows you to add literal values and variables to the group naming pattern to dynamically construct a new Active Directory group name. Upon creation of the actual group, any variable specified in the pattern is then replaced with actual values to create a unique group name. The default group naming patterns are specified in the Managed group templates used to define the Active Directory groups to be created to fulfill self-service share creation requests. In addition, as part of the approval process, the Data Governance Administrator can edit the group naming pattern for the Active Directory groups to be created.
The default group name patterns provided with Data Governance Edition are:
The following variables have been defined allowing you to define a group naming pattern to dynamically construct a new Active Directory group name.
Variable | Description | ||
---|---|---|---|
[costcenter] |
Sample name pattern resolver that retrieves the short name of the cost center associated with the person who made the request.
| ||
[dept] |
Sample name pattern resolver that retrieves the short name of the department associated with the person who made the request.
| ||
[random] | Sample name pattern resolver that generates a random number, between 1 and 999999. | ||
[ShareName] | A variable that retrieves the name assigned to the file share. |
|
Note: To add additional group name pattern resolvers, use the Object Browser (QAMNamePatternResolver) or Windows PowerShell (Add-QNamePatternResolver). For more information, see Name pattern resolvers. |
To add a variable to a group naming pattern during the approval process:
In the Group Name dialog, use the Group name pattern field to construct your naming pattern, which can consist of literal values and variables.
|
Note: Variables are enclosed in square brackets [ ] in the Group name pattern field. If you enter a variable that does not exist as a name pattern resolver, it will show as a literal in your group name. |
To add a variable, place your cursor within the naming pattern where the variable is to be inserted and enter the variable enclosed in square brackets (for example, [dept]).
|
Note: Clicking a variable in the Macro list appends the selected variable to the end of the group naming pattern, regardless of where your cursor is located in the string. |
Click OK to save your selection and close the dialog.
Both the group naming pattern and the resolved group name appear on the Permissions page of the New File Share dialog.
Data Governance Edition allows you to define your own name pattern resolver scripts, which define the variables that can be added to a group naming pattern. These variables can then be used when building or modifying managed group templates. In addition, during the approval process, available variables are listed on the Group Name dialog when editing the group naming pattern to dynamically construct unique Active Directory group names for the new managed resource.
By default, the following sample name pattern resolver scripts are provided with Data Governance Edition and are available in the QAMNamePatternResolver table:
Use the Designer to write and compile the name pattern resolver script and commit it to the One Identity Manager database.
|
Note: Name pattern resolver scripts must have a particular signature or they will fail at run time. These scripts are functions that take one parameter, the UID of the PersonWantsOrg record for this request, as a string and returns a string. For example: Public Function Foo(ByVal UID_PersonWantsOrg As String) As String The string value returns as UID_QAMNode. |
To add a name pattern resolver (Object Browser)
In the new Name Pattern Resolver page, specify the following:
NamePatternVariable: Enter the name of the variable associated with this script that can be used in the group naming pattern.
|
Note: UID_QAMNamePatternResolver: This value is automatically generated by One Identity Manager. |
Click the Save toolbar button to save your selections.
The new name pattern resolver appears in the Name Pattern Resolver result list pane.
To add a name pattern resolver (PowerShell)
If necessary, run the following cmdlet to import the QAM.Client.PowerShell.dll assembly:
Import-Module "<path>"
Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".
Run the following cmdlet to add a new server selection script:
Add-QNamePatternResolver -DialogScriptID <String> -NamePatternVariable <String>
For more information, see Name pattern resolver management.
Defining where new resources get created can be very complicated and specific to your organization. The Data Governance server allows you to select a managed host or use a server selection script to select the QAMNode to host a new file system share. Creating customized server selection scripts allows you to define the server selection process to be used for selecting the appropriate QAMNode. Available server selection scripts appear on the Server Selection Scripts dialog when the Data Governance Administrator selects to assign a file share host using the script option on the File Share page of the New File Share dialog.
By default, Data Governance Edition provides the following server selection script, which is available in the QAMServerSelectionScript table in One Identity Manager:
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz