Share creation requests
Using the web portal IT Shop, identities can use the new managed resource feature to request that a file system share be created. Similar to resource access requests, when a file share creation self-service request is successfully processed and approved, the recipient (identity) is added to the specified group and access is granted through this group membership. In addition, if the self-service request indicates that the new share is to be published to the IT Shop, it will be available for other identities to request access to it.
The basic configuration and default process included in this release of Data Governance Edition is meant for creating file system shares in a single domain. This basic configuration fulfills self-service share creation requests by creating new file shares and granting access through group membership, based on Microsoft best practices. For more details on setting up the IT Shop, requesting and approving share creation requests, troubleshooting issues, or customizing the default configuration or process, see:
Setting up share creation requests
As a Data Governance Administrator, perform the following tasks to enable the self-service share creation requests within the One Identity Manager IT shop:
Specifying target machines
Once you have completed the Active Directory synchronization and added your managed hosts, specify the managed hosts that can be used to host a managed resource (for example, file shares created through the IT Shop self-service request functionality).
To identify a managed host as a managed resource host (Object Browser)
- Open the Object Browser.
- In the navigation pane, locate and select QAMNode | Managed Hosts.
- In the Managed Hosts result list pane, select the target managed host.
- Under Simple properties, locate the IsManagedResourceHost property and set the value to True.
- Click the Save toolbar button.
-
Repeat for all managed hosts that can host file shares.
To identify a managed host as a managed resource host (PowerShell)
-
If necessary, run the following cmdlet to import the QAM.Client.PowerShell.dll assembly:
Import-Module "<path>"
Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".
-
Run the following cmdlet to enable the IsManagedResourceHost property:
Set-QManagedHostProperties -ManagedHostId <String> -IsManagedResourceHost $true
- ManagedHostId: Specify the ID (GUID format) of the managed host whose properties are to be updated.
- IsManagedResourceHost: Changing this value to $true specifies that this managed host can be used to host a managed resource.
Note: You can also enable the IsManagedResourceHost property when adding new managed hosts using the Add-QManagedHostByAccountName Powershell cmdlet.
Updating managed resource type domain object with full-control group and Active Directory container
For every domain where you have managed hosts flagged as managed resource hosts (managed hosts that have the IsManagedResourceHost property set to True), you need to specify an Active Directory container and a full control group for each managed resource type. In this release, the basic configuration includes only one managed resource type, Simple Share; therefore, in each managed domain, specify the Active Directory container where new groups are to be created and specify the group to be given full administrative control to the share.
Note: Only groups, containers and domains that have been previously synchronized into the One Identity Manager database are available for use.
NOTE: Managed resource functions are used by the default process to locate an appropriate Active Directory container, locate suitable job servers for file system operations and implement restriction list processing when creating a new managed resource share. To use custom scripts for any of these functions, see Managed resource functions.
To update a managed resource type domain object (Object Browser)
- Open the Object Browser.
- In the Navigation view, locate and select QAMManagedResourceTypeDomain | Managed Resource Type Domain.
- In the Managed Resource Type Domains result list pane, click the Insert toolbar button or right-click command.
-
In the new Managed Resource Type Domains page (right pane), specify the following:
-
Click the Save toolbar button to save your selections.
The new managed resource type domain object appears in the Managed Resource Type Domains result list pane.
To update a managed resource type domain object (PowerShell)
-
If necessary, import the QAM.Client.PowerShell.dll assembly:
Import-Module "<path>"
Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".
-
Run the following cmdlet to add a new managed resource type domain:
Add-QManagedResourceTypeDomain -ManagedResourceTypeID <String> -DomainID <String> [-ContainerID [<String>]] -FullControlGroupID <String> [-FileOperationsServerTagID [<String>]]
- ManagedResourceTypeID: Enter the ID assigned to the managed resource type (Simple Share) associated with this object.
- DomainID: Enter the ID assigned to the Active Directory domain this object applies to (UID_ADSDomain in ADSDomain table).
- ContainerID: (Optional) Enter the ID assigned to the Active Directory container to use for managed group creation for the specified managed resource type in the specified Active Directory domain (UID_ADSContainer in ADSContainer table)
- FullControlGroupID: Enter the ID assigned to the full control group to be used to provide administrative access to new file shares that are created.
- FileOperationsServerTagID: (Optional) Enter the value assigned to the Server tag (Server Function) that identifies which job servers can fulfill functions involving file operations. That is, operations involving the creation of folders and shares on managed hosts. Enter the value assigned to the server tag when it was created, which may be an ID, such as QAM-Connector-DGE, for predefined server tags or a GUID for custom server tags. If this parameter is not specified, the Data Governance connector (QAM-Connector-DGE server function) is used. For more information on using a custom script to locate the job server, see Managed resource functions.
For more information, see Managed resource type domain object management.