Identity Manager Data Governance Edition 8.0.1 - IT Shop Resource Access Requests User Guide

Server selection scripts

Defining where new resources get created can be very complicated and specific to your organization. The Data Governance server allows you to select a managed host or use a server selection script to select the QAMNode to host a new file system share. Creating customized server selection scripts allows you to define the server selection process to be used for selecting the appropriate QAMNode. Available server selection scripts appear on the Server Selection Scripts dialog when the Data Governance Administrator selects to assign a file share host using the script option on the File Share page of the New File Share dialog.

By default, Data Governance Edition provides the following server selection script, which is available in the QAMServerSelectionScript table in One Identity Manager:

• QAM_RandomNode: Randomly selects a managed host from those that have been specified as target machines (that is, managed hosts that have the IsManagedResourceHost flag set to True).

Adding server selection scripts

Before you begin

• Use the Designer to write and compile the server selection script and commit it to the One Identity Manager database.

  Note: Server selection scripts must have a particular signature or they will fail at run time. These scripts are functions that take one parameter, the UID of the PersonWantsOrg record for this request, as a string and returns a string. For example: Public Function Foo (UID_PersonWantsOrg As String) As String

To add a server selection script (Object Browser)

1. Open the Object Browser.
2. In the Navigation view, locate and select QAMServerSelectionScript.
3. In the Server Selection Scripts result list pane, click the Insert toolbar button or right-click command.

4. In the new Server Selection Script page, specify the following:

   • UID_DialogScript: Use the drop-down menu to select from a list of previously defined scripts.

   Note: UID_QAMServerSelectionScript: This value is automatically generated by One Identity Manager.

5. Click the Save toolbar button to save your selections.

   The new server selection script appears in the Sever Selection Scripts result list pane.

To add a server selection script (PowerShell)

1. If necessary, run the following cmdlet to import the QAM.Client.PowerShell.dll assembly:

   Import-Module "<path>"

   Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

2. Run the following cmdlet to add a new server selection script:

   Add-QServerSelectionScript -DialogScriptID <String> [<Common parameters>]

   • DialogScriptID: Enter the ID assigned to the managed resource function script when it was created.

For more information, see Server selection script management.

Managed resource functions

A managed resource function is a One Identity Manager script that can be invoked indirectly by some arbitrary name to satisfy a pre-defined extension point in the business logic. Data Governance Edition provides sample managed resource function records that contain the necessary mappings to perform the following functions which are used in the default process chain (QAM Create DGE Managed Resource) to fulfill self-service requests to managed resources:

• Locate a job server that can process new shares and file paths when creating a new managed resource.
• Locate the Active Directory container ID to be used when creating the new managed resource groups.
• Set a restriction list for managed resource creation.

You can override the default functionality, by mapping a custom script to a predefined managed resource function record. However, each custom script must match the function signature and return the expected object. By doing this, you eliminate the need to modify the existing process chain. If you create a new managed resource function, you are required to create a custom process chain to call the custom managed resource function record.

Before you begin

• If you are writing a custom script, use the Designer to write and compile the managed resource function script and commit it to the One Identity Manager database.

  Note: Managed resource function scripts must have a particular signature or they will fail at run time. These scripts are functions that take one parameter, the UID of the PersonWantsOrg record for this request, as a string and returns an object or null. The type of object returned varies based upon the expectations of the consuming code. It is highly recommended that you look at the sample implementations to see what is expected from the script. Currently all data needed to invoke the function must be resolvable directly or indirectly using the PersonWantsOrg record specified. Table 3: Supported managed resource functions Script name Signature Returns Description LocateFileOperationsJobServer Public Function Func(ByVal UID_PWO As String) As String The UID_QBMServer value identifying an appropriate entry in the QBMServer table. Processor for locating a job server that can process new shares and file paths when creating a new managed resource. ResolveADContainer Public Function Func(ByVal UID_PWO As String) As String The UID_ADSContainer value identifying an appropriate entry in the ADSContainer table. Processor for locating an Active Directory container ID to be used when creating the new managed resource groups. SetRestrictionList Public Sub X(ByVal UID_PWO As String) N/A Subroutine used to set a restriction list for managed resource creation.

To point an existing managed resource function record to a custom script (Object Browser)

The ManagedResourceFunction table contains a mapping between the function name and the script to be run. By overriding the functionality in this manner you do not need to modify the process chain.

1. Open the Object Browser.
2. In the Navigation view, locate and select QAMManagedResourceFunction.
3. From the Managed Resource Function result list, select the managed resource function record to be mapped to the new script. For example, select Simple Share - SetRestrictionList.

4. In the Managed Resource Function page (right pane), specify the following:

   • UID_DialogScript: Use the drop-down menu to select your custom script.
   • UID_QAMManagedResourceType: Do not modify this setting. The function name is unique by ManagedResourceType.
   • Description: (Optional) Enter a new description for the managed resource function record.
   • Name: Do not modify this setting.

   Note: UID_QAMManagedResourceFunction: This value is automatically generated by One Identity Manager and cannot be modified.

5. Click the Save toolbar button to save your selections.

To point an existing managed resource function record to a custom script (PowerShell)

1. If necessary, run the following cmdlet to import the QAM.Client.PowerShell.dll assembly:

   Import-Module "<path>"

   Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

2. Run the following cmdlet to map a custom script:

   Set-QManagedResourceFunction -Id <String> [-Description [<String>]] -DialogScriptID <String>

   • Id: Enter the value (GUID) assigned to the managed resource function (UID_QAMManagedResourceFunction) to be changed.
   • Description: (Optional) Enter a different description.
   • DialogScriptID: Enter the ID (GUID) assigned to the custom script when it was created in One Identity Manager.

For more information, see Managed resource function management.

Process chain (file system share creation)

One Identity Manager uses process steps (also known as process chains) to represent company workflows. A default process chain is provided to fulfill self-service share creation requests; however, if the workflow defined in the default process does not meet your company's procedures, you can use the Process Editor in the Designer to create a new process or modify the default process chains. In order to fulfill self-service share creation requests, the following process chain is provided:

• QAM Create DGE Managed Resource: Defines the process steps for validating the creation parameters, and creating the groups and file share once the request has been approved.

To modify the file share creation process chain

1. Use the Process Editor to copy the default process.

   1. From the navigation pane, select Process Orchestration and expand Processes to locate target process.

      • PersonWantsOrg | QAM Create DGE Managed Resource

   2. Right-click and select Navigation | Process Editor | Edit process or click the Edit process task in the far right pane.

      The current process is loaded and displayed in the process editor.

2. Use the Process | Copy menu command to make a copy of the original process chain.

   The Copy process wizard appears. Ensure the following copy options are selected on the first page:

   • Rename process steps
   • Copy events
   • Disable source process

   Enter the requested information (for example, name of the new process and names for the process steps).

3. Modify the process chain as required and save your selections.

For more information on modifying process chains, see the One Identity Manager Configuration Guide.

Appendix: PowerShell commands

Data Governance Edition provides Windows PowerShell cmdlets to manually manage resources used in the file system share creation feature.

• Adding the PowerShell snap-ins
• Self-service request information
• Managed resource information
• Managed resource type management
• Managed resource type domain object management
• Group template management
• Name pattern resolver management
• Server selection script management
• Share root path management
• Type group permissions object management
• Managed resource function management