Restriction list based on business role
The Business Role module is an optional module that can be purchased with One Identity Manager. If this module is installed (selected on the Module selection page of the Setup wizard), you can restrict identities from seeing (and consequentially requesting access to) governed data that has been published to the IT Shop based on their business role assignments.
By defining a business role restriction list, only those identities who are assigned the selected business roles are able to see and request access to a governed resource.
To restrict access to a resource in the IT Shop (Data Governance Administrator)
-
In the Manager, open the Governed data view.
- From the Data Governance navigation view, select Governed data.
- From the Managed hosts view, navigate to the required managed host, select Governed data from the Tasks view or right-click menu.
- Select the required resource and then select Change governed resource master data in the Tasks view or right-click menu.
-
Select Assign business roles in the Tasks view or right-click menu.
The Business Roles assignment page appears allowing you to select from a list of business roles.
- In the lower pane, double-click the business roles to be assigned to the resource.
- When finished with the assignments, click the Save toolbar button.
To restrict access to an owned resource in the IT Shop (Only for Business Owners who also have Data Governance Administrator role)
Note: Business owners who have both the Data Governance | Administrators and Data Governance | Direct Owners application roles assigned, can use the web portal to define who can see and access owned resources.
- Log on to the One Identity Manager web portal.
- From the menu bar, select Responsibilities | My Responsibilities.
- On the My Responsibilities view, select the Governed Data tile.
- On the Governed data view, select a governed resource.
- Click the Master data tab.
- Click the Assign button to the right of Business Roles.
-
In the Assign dialog, use the left pane to select the business roles to be assigned to the selected resource.
Once selected, the business role appears in the Assigned pane (right pane) and the icon to the left of the business role changes to a check mark. To remove a business role, select the business role from the Assigned pane. The icon to the left of the business role changes back to an X and is removed from the Assigned pane.
Click OK to save your selections and close the Assign dialog.
- When finished with the assignments, click the Save button.
Requesting access to a governed resource
All active identities automatically become members of the Identity & Access Lifestyle shop, which is installed by default, and can therefore make requests, including access requests to governed resources.
File system and SharePoint resources placed under governance and published to the IT Shop are available for self-service requests through the Resource Access service category in the web portal. Selecting the Resource Access service category on the Request page displays a Request page allowing you to request access to governed file system resources or SharePoint resources.
For detailed instructions on how to create resource access requests, see:
Requesting access to a file system resource
Using the IT Shop, you can request access to the following types of file system resources:
- Windows Computer\Share
- NTFS\Folder
- DFS paths
To request access to a file system resource
- Log on to the One Identity Manager web portal.
-
From the Home (Welcome) page, click Start a new request.
The Request view appears, which displays the service categories available.
-
Select the Resource Access service category.
NOTE: By default, the recipient is the identity currently logged into the web portal. To change the recipient list, click Change to the right of the Recipient field. In the Recipient dialog, select the identities to be added to the recipient list. To remove an identity from the recipient list, select their name from the Selected pane at the bottom of the Recipient dialog.
-
Click Request in the Request column to the right of the File system access product.
TIP: You can also select the check box to the left of File system access and click Submit request now button located in the lower right corner of the page..
The Requesting file system access dialog appears, which lists the file system resources that are published to the IT Shop and available for self-service access requests.
By default, the resources appear in a hierarchical tree view. Click the arrow to the left of a folder to expand it and display the resources available. Click the Grid view button to display a list instead of the tree view. Click the Tree view button to redisplay the tree view.
Note: By default, all available resources are shown; however, you can use the Managed host's Assign link to limit the search to a specific managed host.
-
From the tree view or grid view, select one or more resources from the list to add it to the Selected list (right pane). In addition, the icon to the left of a selected resource changes to a check mark. Click OK.
You can also select the Enter resource paths manually check box to enter a resource path (\\servername\foldername). When multiple paths are specified, enter one path per line. Once you have manually entered the resource paths to include in the request, click OK.
Note: To request a DFS Link when Enter resource paths manually checkbox is selected, enter the resource path to the DFS link using UNC format and not the associated DFS path.
-
The My Shopping Cart page appears, which lists the resources selected on the previous page (and any other requests in your shopping cart). This page also contains a details pane allowing you to specify detailed information for each individual request. If no information is entered in the details pane, a read access request with no time limit is created.
Note: To return to your shopping cart (for example, your session times out before you have completed your request submission), select Requests not yet submitted from the Home page. You can also click the shopping cart icon ( ) in the upper right corner of the page and select Shopping Cart.
- To enter details for individual access requests, select a resource from the list (left pane) and enter the following information to complete the access request:
- Access: Select the type of access you are requesting, read or write access.
- Reason: Enter a reason why you are requesting access to the selected resource.
- Priority:
- Valid from: Click the check box and use the calendar and clock controls to specify a start date and time for accessing the selected resource.
-
Valid until: Click the check box and use the calendar and clock controls to specify an end date and time for accessing the selected resource.
Note: To apply the same details to all the resources listed, click the Details tab, enter the reason or valid time frame, and click Apply to all. Click the My Shopping Cart tab to return to your shopping cart requests. This new information is displayed in the details pane when an individual resource request is selected in the left pane.
-
After entering the request details, click the Submit button. Clicking this button validates whether the requestor has the permissions required to make the requests in the shopping cart and submits all the requests for approval processing.
The Shopping Cart page closes and a "The request was successfully submitted" message appears at the top of the My Shopping Cart page.
-
Click View the request history to display the Request History page to track the status of your requests.
NOTE: If you made the request for other identities (that is, changed the recipients list on the Ticket page), click the Advanced search button. Modify the Display requests options by selecting the Tickets submitted by you for others check box and click the Search button.
Requesting access to SharePoint resources
Using the IT Shop, you can request access to the following types of SharePoint resources:
- SharePoint\Resource Item
- SharePoint\Site
- SharePoint\List
- SharePoint\Folder
- SharePoint\List Item
Note: The identity requesting access to a SharePoint resource must have at least one SharePoint user account. This SharePoint user account must have the "Groups can be inherited" option enabled in the Manager ( SharePoint | User accounts (user authentication) | Change master data).
To request access to a SharePoint resource
- Log on to the One Identity Manager web portal.
-
From the Home (Welcome) page, click Start a new request.
The Request view appears, which displays the available service categories.
- Select the Resource Access service category.
NOTE: By default, the recipient is the identity currently logged into the web portal. To change the recipient list, click Change to the right of the Recipient field. In the Recipient dialog, select the identities to be added to the recipient list. To remove an identity from the recipient list, select their name from the Selected pane at the bottom of the Recipient dialog.
-
Click Request in the Request column to the right of the SharePoint access product.
TIP: You can also select the check box to the left of SharePoint access and click the Submit request now button located in the lower right corner of the page.
The Requesting SharePoint access dialog appears, which lists the SharePoint resources that are published to the IT Shop and available for self-service access requests.
Note: By default, all available resources are shown; however, you can use the Managed host's Assign link to limit the search to a specific managed host.
-
Select one or more resources from the list to add it to the Selected list (right pane). In addition to adding the resource to the Selected list, the icon to the left of a selected resource changes to a check mark. Click OK.
-
The My Shopping Cart page appears, which lists the resources selected on the previous page (and any other requests in your shopping cart). This page also contains a details pane allowing you to specify detailed information for each individual request. If no information is entered in the details pane, a read access request with no time limit is created.
Note: To return to your shopping cart (for example, your session times out before you have completed your request submission), select Requests no yet submitted from the Home page. You can also click the shopping cart icon ( ) in the upper right corner of the page and select Shopping Cart.
- To enter details for individual access requests, select a resource from the list (left pane) and enter the following information to complete the access request:
- Access: Select the type of access you are requesting, read or write access.
- Reason: Enter a reason why you are requesting access to the selected resource.
- Valid from: Click the check box and use the calendar and clock controls to specify a start date and time for accessing the selected resource.
-
Valid until: Click the check box and use the calendar and clock controls to specify an end date and time for accessing the selected resource.
Note: To apply the same details to all the resources listed, click the Details tab, enter the reason or valid time frame, and click Apply to all. Click the My Shopping Cart tab to return to your shopping cart requests. This new information is displayed in the details pane when an individual resource request is selected in the left pane.
-
After entering the request details, click the Submit button. Clicking this button validates whether the requestor has the permissions required to make the requests in the shopping cart and submits the requests for approval processing.
The Shopping Cart page closes and a "The request was successfully submitted" message appears at the top of the My Shopping Cart page.
-
Click View the request history to display the Request History page to track the status of your requests.
NOTE: If you made the request for other identities (that is, changed the recipients list on the Ticket page), click the Advanced search button. Modify the Display requests options by selecting the Tickets submitted by you for others check box and click the Search button.