Chat now with support
Chat mit Support

Identity Manager Data Governance Edition 8.1.1 - IT Shop Resource Access Requests User Guide

Introduction Resource access requests Share creation requests Appendix: PowerShell commands

Granting or denying file system share creation requests

To approve a file share creation request (Employee's Manager)

Note: If an employee does not have a manager assigned, this approval step is bypassed and the request goes directly to the Data Governance Administrator.

  1. Log on to the One Identity Manager web portal.

    All pending requests appear in the following locations in the One Identity Manager web client:

    • Home (Welcome) page: (Pending requests)
    • My Actions page: (Request | My Actions | Pending Requests)
  2. To view a list of all pending requests awaiting your decision, click the Pending requests tile from one of these pages.

    The Pending Requests view appears.

  3. Select the request to be approved. Selecting a request in the left pane displays the request details in the right pane.

  4. Click the Approve button in the Decision column, then click Next.

    The Approvals view appears allowing you to review your decision and enter additional details about your approval decision.

  5. (Optional) On the Approvals view, enter the following details regarding your decision:
    1. Reason for approvals: Enter a reason for approving the requests. This reason applies to all approved requests listed unless there is an individual reason given in the Reason column of an approval.
    2. Standard reason: Select a standard reason from a list of previously defined reasons.

      Note: For more information about defining standard reasons, see the One Identity Manager IT Shop Administration Guide.

    3. Valid from: This is set to immediately and cannot be changed.
    4. Valid until: Does not apply to this type of request. This is set to unlimited and changing the end date has no effect on the request.
    5. Reason: Click Enter a reason to specify a reason for your decision that is specific to the selected request.
  6. Click Save approvals.

Once you make an approval decision, the request disappears from your list of pending requests. To view your approval decisions, select Request | My Actions | Approval History. Selecting this tile displays the Approval History view.

To request additional information about a request

  1. From the Pending Requests view (Request | My Actions | Pending Requests), select the request to which you require additional information.
  2. Click more | Ask for help, located under the request details pane (right pane).

    Clicking this option displays the Submit an inquiry about this request dialog showing a list of employees.

  3. Select an employee who is to receive the question.

    The Submit an inquiry about this request dialog reappears allowing you to enter your question.

  4. Enter your question and click Save to place the request on hold and send your question.

    A message stating the inquiry has been submitted is displayed at the top of the Pending Requests view. In addition, a Query step is added to the workflow in the request's details pane.

  5. If you no longer need additional information about a request, click the Recall last question button. In the Recall last question dialog, enter a reason for recalling the question and click OK.

When you request additional information, a request inquiry is submitted to the recipient. That is, when that employee logs on to the web portal, they see a new action in the Request | My Actions | Request Inquiries action list. In addition, the recipient receives a "Question about a request" email notification with a link to the web portal. From the Request Inquires view, they can then respond to your question.

To view their response, open the Pending Requests page, select the required request and open the Workflow tab in the details pane.

To revoke a request's hold status

NOTE: Requests for which you have requested additional information remain "on hold" even after the question has been answered. This hold state allows you to review the answer to determine if you have the information needed to approve or deny the request. In order to proceed with the approval workflow, release the request from the hold status.
  1. From the Pending Requests view (Request | My Actions | Pending Requests), select the request you want to release from hold status.
  2. Click the Revoke hold status button.

    Revoking the hold status of a request releases the request for approval or editing by other approvers.

To select where the file share is to be created (Data Governance Administrator)

  1. Log on to the One Identity Manager web portal.

    All pending requests appear in the following locations in the One Identity Manager web client:

    • Home (Welcome) page: (Pending requests)
    • My Actions view: (Request | My Actions | Pending Requests)
  2. To view a list of all pending requests awaiting your decision, select the Pending Requests tile from one of these pages.

    The Pending Requests view appears.

  3. On the Pending Requests view, select the required request.

    Note: If the manager approval step was bypassed, the following warning appears "Request does not have manager".

  4. Click the Select server and groups button.

    The New File Share dialog appears, which consists of two tabbed pages:

    • File Share: Use this page to select the server to host the file share and the root path for the new file share. You can also specify whether to publish the share to the IT Shop.
    • Permissions: Use this page to specify the group naming pattern to be used for the groups that are created to support the new file share.

    TIP: By default a server host and group naming pattern are selected for you; you can use these pages to change these default selections. However, you must specify the root path in order to proceed. If the OK button at the bottom of the dialog is disabled, ensure that you have selected a root path.

  5. On the File Share page, select the server that is to host the share and the root path for the new file share.

    Note: The server must be an appropriately configured managed host. For more information on configuring a managed host for hosting file shares and adding a share root path, see Setting up share creation requests.

    If you see the following message, "For the domain of the selected File Share host, please specify an Active Directory container in which to create permissions groups and please specify an Active Directory group that will have full control of this new File Share", see the directions provided in Updating managed resource type domain object with full-control group and Active Directory container.

    1. Share Name: This field displays the name specified in the request. If necessary, use this field to rename the share.
    2. Publish to IT Shop: To publish the share to the IT Shop, select the check box. If you do not want the share available to others through the IT Shop, clear the check box. This check box reflects the option specified in the request; but can be changed using this check box.
    3. File Share Host: Select one of the following methods for specifying a server to host the file share:
      • Use a script to select a server: This option is selected by default and the system selects a random server based on the QAM_RandomNode script. Click Change to display a list of server selection scripts that can be run to select a different server.
        • In the Sever Selection Scripts dialog, locate the script to be run and click Run Script.
        • Once the script has completed, the Result column displays the servers that meet the criteria defined in the script. Select a server from this list and click Close.

        Note: To add server selection scripts to your Data Governance Edition deployment, use the Object Browser (QAMServerSelectionScript) or Windows PowerShell (Add-QServerSelectionScript). For more information, see Server selection scripts.

      • Manually specify the server: To manually select a server, select this option and click Assign or Change to display a list of managed hosts that are flagged as managed resource hosts. 
        • In the Managed host dialog, select a managed host from the list and click Close.

      Note: For DFS managed hosts, if the DFS namespace is not listed, ensure that both the DFS server hosting the DFS namespace and the share server where the DFS link is pointing to have been added as managed hosts. Also, check to ensure that your DFS managed host is flagged as a managed resource host (has the IsManagedResourceHost property set to True).

      The selected server appears on the File Share page. To change your selection, select the option to be used to select the server and click Change.

    4. Root Path: Select a root path under the specified server where the new file share is to be created.
      • Select one of the following options:

        • Select a non-DFS path
        • Select a DFS root path

          Note: If there are no DFS root paths shown in the Browse dialog, check that the QAMDfsTarget table is populated with your DFS paths.

      • Choose a root path for the new file share: Click Assign to display a list of managed share root paths.

        • In the Managed Share Root Path dialog, select a root path and click Close.

        Note: To add or modify share root paths, use the Object Browser (QAMManagedShareRootPaths) or Windows PowerShell (Add-QManagedShareRootPath). For more information, see Creating and specifying share root paths.

      The selected root path appears on the File Share page. To change your selection, click Change.

  6. (Optional) On the Permissions page, specify the naming pattern to be used to build the new groups.

    Note: Click the expansion arrow to the left of the Domain Local group to view the nested Global group.

    1. Click Edit to the right of a group.
    2. In the Group Name dialog, add literal values and variables to define the group naming pattern to be used to create the new Active Directory group.

      Note: See Group naming patterns for more details on defining a group naming pattern and the variables available for use.

    3. Click OK to save your selection and close the dialog. The new pattern appears in the Pattern to dynamically build group name with column.

  7. Click Close to save your selections and close the dialog.
  8. Click the Approve button in the Decision column, then click Next.

    The Approvals view appears allowing you to review your decision and enter additional details about your approval decision.

  9. (Optional) On the Approvals view, enter the following details regarding your decision:
    1. Reason for approval: Enter a reason for approving the requests. This reason applies to all approved requests listed, unless there is an individual reason given in the Reason column of an approval.
    2. Standard reason: Select a standard reason from a list of previously defined reasons.

      Note: For more information about defining standard reasons, see the One Identity Manager IT Shop Administration Guide.

    3. Valid from: This is set to immediately and cannot be changed.
    4. Valid until: Does not apply to this type of request. This is set to unlimited and changing the end date has no effect on the request.
    5. Reason: Click Enter a reason to specify a reason for your decision that is specific to the selected request.
  10. Click Save approvals.

Once you make an approval decision, the request disappears from your list of pending requests. To view your approval decisions, select Request | My Actions | Approval History. Selecting this tile displays the Approval History view.

Once the file share is created, an email is sent to the requestor with the location and name of the new share.

Processing requests for file system share creation

When an employee requests that a new file system share be created through the IT Shop, the request follows a defined approval process that determines whether the share is created.

Default request workflow

  1. An employee uses the web portal IT Shop to make a request for creating a new file system share.
  2. If the employee has a manager assigned, the employee's manager decides if the employee's request should be granted.
  3. The request is then forwarded to the Data Governance Administrator who specifies the server to host the new share, the root host and the groups created to provide access to the share.
  4. When a self-service share creation request is successfully processed and approved, the default configuration for creating a file share and granting access through group membership is performed, which includes:

    • Six groups, three Global groups and three Domain Local groups, are created specially for accessing the share. The Global groups are nested within the Domain Local groups, following Microsoft best practices.
      • Domain Local group with Full Control permissions
        • Global group with Full Control permissions
      • Domain Local group with Read permissions
        • Global group with Read permissions
      • Domain Local group with Read/Write permissions
        • Global group with Read/Write permissions
    • User accounts are added into the appropriate Global groups.
    • The share path is created.
    • The file share is created on a Windows server.
    • The ACLs are set appropriately on the share.
  5. If specified as part of the request, the share is published to the IT Shop making it available to other employees.
  6. An email is sent to the requestor with a link to the newly created file share.
  7. If a request is denied, it falls back to the requestor to make another request.

Figure 2: QAM Create DGE Managed Resource process chain

Troubleshooting share creation requests

The following topics explain possible causes and resolutions to the following issues/questions you may encounter when working with self-service share creation requests:

Error logging

When an error is encountered with a self-service file share creation request, review the following logs:

Job Server logs

Errors encountered with the process chain used to process file share creation requests are recorded in the Job Server logs. With a default configuration you can browse these logs by launching a web browser and navigating to a specific URL on the computer hosting the Job Server. The default URL for a Job Server log is: http://JobServerHost:1880/Log.

Web Client log

Errors encountered with the web client IT Shop are recorded to the web client logs.

The web client log files are located in the following directory: C:\inetpub\wwwroot\IdentityManager\App_Data\Logs. This directory contains a series of log files all named with a timestamp. The best way to get the proper one is to replicate the issue and take the file with the most recent timestamp.

Data Governance Service log

Errors encountered using the Windows PowerShell cmdlets are recorded to the Data Governance Service Log.txt, which is located in the program folder: %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server.

Verwandte Dokumente