Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.1 - IT Shop Resource Access Requests User Guide

Introduction Resource access requests Share creation requests Appendix: PowerShell commands

Publishing resources to the IT Shop

Publishing a resource to the IT Shop makes it available for users to request access to it. It also places the resource under governance if it is not already governed.

NOTE: In order for a DFS link, target share path or folder to be placed under governance or published to the IT Shop, both the DFS server hosting the DFS namespace and the share server where the DFS link is pointing to must be added as managed hosts. If the required servers (those that contain DFS security details) are not already managed, a message box appears listing the servers that need to be added as managed hosts. Click the Add managed hosts with default options button to deploy a local agent to the servers listed in the message box and complete the selected operation. Click Cancel to cancel the selected operation and manually add the servers as managed hosts.

Each request is processed by a policy-based approval process, which determines whether access to the data can be assigned or not. Authorized persons, in this case the business owner and group owner, can approve or deny IT Shop requests. The request history also makes it possible to follow who requested what resource and when it was requested, renewed or canceled.

You can quickly see all the resources that have been placed under governance and manage (add and remove) resources in the IT Shop from the Resource browser or Governed data view in the Manager.

You can publish NTFS shares and folders, and SharePoint objects from the site level and below.

NOTE: This functionality is not available for NFS managed hosts.

Note: This functionality is not available for Cloud managed hosts.

To place a resource under governance and publish it to the IT Shop

  1. In the Manager, navigate to the required resource.

    For example, to use the Resource browser:

    1. Select the required managed host from the Managed hosts view.
    2. Double-click to display the Resource browser.
    3. Double-click through the resources to locate the required resource.
  2. Select the required resource and then select the Publish to IT Shop task or right-click command.
  3. In the Publish to IT Shop confirmation dialog, confirm the display name of the selected resource and click Publish Resources.

    When placing a share under governance, you can use the backing folder security or share permissions for self-service resource access requests in the web portal. The Use backing folder security for self-service option is selected by default and uses the backing folder security for the share. Clear this option to use the share permissions for the share.

    When placing a DFS namespace under governance, select the type of security to be used:

    • Use Folder Security: This option is selected by default and uses the backing folder security for self-service resource access requests to this governed resource.
    • Use Share Security: Select this option to use the share permissions for self-service resource access requests to this governed resource.
    • Use DFS Security: Select this option to use the DFS access-based enumeration security for self-service resource access requests to this governed resource.
  4. If the resource has not been assigned a business owner, the Business Owner wizard appears allowing you to assign ownership.
    1. On the Set Business Owner page, select to assign an application role or employee as the owner, optionally enter a justification for the ownership, and click Next.
    2. Click Finish to close the wizard.

Back in the Resource browser, "True" appears in both the Governed Resource and Published to IT Shop columns. The assigned business owner is also added to the Business Owner column. The governed resource is also added to the Governed data view.

Users are now able to request access to the resource from within the web portal and set in motion the request workflow.

To publish a governed resource to the IT Shop

  1. In the Manager, navigate to the governed resource.

    For example, to use the Resource browser:

    1. Select the required managed host from the Managed hosts view.
    2. Double-click to display the Resource browser.
    3. Double-click through the resources to locate the required resource.

    For example, to use the Governed data view.

    1. In the Data Governance navigation view, select Governed data.
    2. Locate the required resource.
  2. Locate and select the governed resource and select the Publish to IT Shop task or right-click command.
  3. In the Publish to IT Shop confirmation dialog, click Yes.
  4. If the resource has not been assigned a business owner, the Business Owner wizard appears allowing you to assign ownership.
    1. On the Set Business Owner page, select to assign an application role or employee as the owner, optionally enter a justification for the ownership, and click Next.
    2. Click Finish to close the wizard.

Back in the Resource browser and Governed data view, "True" appears in Published to IT Shop column. The assigned business owner is also added to the Business Owner column.

To remove a resource from the IT Shop

Removing a resource from the IT Shop, does not remove the item from governance. However, removing a resource from governance removes it from the IT Shop.

  1. Open the Resource browser or Governed data view.
  2. Locate and select the required resource and then select the Unpublish from IT Shop task or right-click command.
  3. Click Yes on the confirmation dialog.
Related Topics

Restricting access to self-service resource access requests

Restricting access to self-service resource access requests

There are various ways of restricting who can see (and consequentially request access to) governed data that has been published to the IT Shop. These include:

  • Defining a restriction list based on organizational structure (department, location or cost center).
  • Explicitly marking groups for exclusion.
  • If the Business Roles module is purchased and installed, defining a restriction list based on business roles.

Note: Ask your Data Governance Administrator to set up a restriction list or mark groups to restrict access to your governed data.

Restriction list based on organizational structure

By defining a restriction list, only those employees who are in the specified departments, cost centers or geographical locations are able to see (and request access to) a governed resource.

Note: Organizational inheritance is not supported. Each required level of an organizational structure must be added to the restriction list.

To restrict access to a resource in the IT Shop (Data Governance Administrator)

  1. In the Manager, open the Governed data view.

    • From the Data Governance navigation view, select Governed data.
    • From the Managed hosts view, navigate to the required managed host, select Governed data from the Tasks view or right-click menu.
  2. Select the required resource and select Change governed resource master data in the Tasks view or right-click menu.
  3. Select Assign organizations in the Tasks view or right-click menu.

    The Organizations assignment page appears, which consists of three tabbed pages (Departments, Locations, and Cost centers) allowing you to select from a list of previously defined organizational assignments.

  4. Use the different tabs to define who can see (and request access to) the selected resource. In the lower pane of the tabbed pages, double-click the departments, locations or cost centers to be assigned to the resource. The employees not assigned through the assignment page are restricted from seeing or accessing the resource through the IT Shop.
  5. When finished with the assignments, click the Save toolbar button.

To restrict access to an owned resource in the IT Shop (Only for Business Owners who also have Data Governance Administrator role)

Note: Business owners who have both the Data Governance | Administrators and Data Governance | Direct Owners application roles assigned, can use the web portal to define who can see and access owned resources.

  1. Log on to the One Identity Manager web portal.
  2. From the menu bar, select Responsibilities | My Responsibilities.
  3. On the My Responsibilities view, select the Governed Data tile.
  4. On the Governed data view, select a governed resource.
  5. Click the Master data tab.
  6. At the bottom of the properties page, click the Assign button to the right of Departments, Locations, or Cost centers.

    Note: You can also restrict access based on Business Roles or One Identity Manager application roles.

  7. In the Assign dialog, use the left pane to select the organizational assignment to be assigned to the selected resource.

    Once selected, the assignment appears in the Assigned pane (right pane) and the icon to the left of the assignment changes to a check mark. To remove an assignment, select the assignment in the Assigned pane. The icon to the left of the assignment changes back to an X and is removed from the Assigned pane.

    Click OK to save your selections and close the Assign dialog.

  8. When finished with the assignments, click the Save button.

Explicit exclusion of groups

You may want to mark certain groups as being ineligible for self-service requests, especially when Data Governance Edition is configured to allow for non-published groups to be presented. In this case, it is possible to mark either specific groups, or all groups within a particular Active Directory container as being ineligible for access requests.

To explicitly exclude groups

Note: Modifying the registry can cause serious issues. Ensure that when making these changes, only the described keys are modified.

  1. On the Data Governance server, navigate to the following registry key using regedit.exe:

    HKEY_LOCAL_MACHINE\Software\One Identity\Broadway\Server\DeploymentData\SelfService\ExclusionByDN

    Note: The "DeploymentData" and "SelfService" subkeys may not exist. If these keys are not present, they should be created.

  2. Beneath the ExclusionByDN key, create string values whose names match the distinguished name of the groups that are to be excluded.

    To exclude an entire container of groups, specify the distinguished name of the container, with an asterisk ("*") prefix. For example to exclude all groups in the Users container of example.com, use the following syntax: "*CN=Users,DC=example,DC=com".

Verwandte Dokumente