Using the web portal IT Shop, employees can use the new managed resource feature to request that a file system share be created. Similar to resource access requests, when a file share creation self-service request is successfully processed and approved, the recipient (employee) is added to the specified group and access is granted through this group membership. In addition, if the self-service request indicates that the new share is to be published to the IT Shop, it will be available for other employees to request access to it.

The basic configuration and default process included in this release of Data Governance Edition is meant for creating file system shares in a single domain. This basic configuration fulfills self-service share creation requests by creating new file shares and granting access through group membership, based on Microsoft best practices. For more details on setting up the IT Shop, requesting and approving share creation requests, troubleshooting issues, or customizing the default configuration or process, see:

Setting up share creation requests

Share creation requests > Setting up share creation requests

As a Data Governance Administrator, perform the following tasks to enable the self-service share creation requests within the One Identity Manager IT shop:

Run a full Active Directory synchronization to map and synchronize target domains and containers in One Identity Manager. For more information on performing an Active Directory synchronization, see the One Identity Manager Administration Guide for Connecting to Active Directory.

Note: The synchronization base object in Active Directory requires Read and Write access rights.
Specify the managed hosts that can be used to host managed resources (file shares). For more information, see Specifying target machines.
For every managed domain, specify an Active Directory container and a full control group where groups created by Data Governance Edition for managed resources will be stored. For more information, see Updating managed resource type domain object with full-control group and Active Directory container.
Create and specify the share root paths where new file shares are to be created. For more information, see Creating and specifying share root paths.
(Optional) Enable the creation of a restriction list based on the organizational properties of the requester's Person record. For more information, see Restricting access to managed resources.

Specifying target machines

Share creation requests > Setting up share creation requests > Specifying target machines

Once you have completed the Active Directory synchronization and added your managed hosts, specify the managed hosts that can be used to host a managed resource (for example, file shares created through the IT Shop self-service request functionality).

To identify a managed host as a managed resource host (Object Browser)

Open the Object Browser.
In the navigation pane, locate and select QAMNode | Managed Hosts.
In the Managed Hosts result list pane, select the target managed host.
Under Simple properties, locate the IsManagedResourceHost property and set the value to True.
Click the Save toolbar button.
Repeat for all managed hosts that can host file shares.

To identify a managed host as a managed resource host (PowerShell)

If necessary, run the following cmdlet to import the QAM.Client.PowerShell.dll assembly:

Import-Module "<path>"

Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".
Run the following cmdlet to enable the IsManagedResourceHost property:

Set-QManagedHostProperties -ManagedHostId <String> -IsManagedResourceHost $true
- ManagedHostId: Specify the ID (GUID format) of the managed host whose properties are to be updated.
- IsManagedResourceHost: Changing this value to $true specifies that this managed host can be used to host a managed resource.

Note: You can also enable the IsManagedResourceHost property when adding new managed hosts using the Add-QManagedHostByAccountName Powershell cmdlet.

Updating managed resource type domain with full control group and Active Directory container

Share creation requests > Setting up share creation requests > Updating managed resource type domain with full control group and Active Directory container

Updating managed resource type domain object with full-control group and Active Directory container

For every domain where you have managed hosts flagged as managed resource hosts (managed hosts that have the IsManagedResourceHost property set to True), you need to specify an Active Directory container and a full control group for each managed resource type. In this release, the basic configuration includes only one managed resource type, Simple Share; therefore, in each managed domain, specify the Active Directory container where new groups are to be created and specify the group to be given full administrative control to the share.

Note: Only groups, containers and domains that have been previously synchronized into the One Identity Manager database are available for use.

NOTE: Managed resource functions are used by the default process to locate an appropriate Active Directory container, locate suitable job servers for file system operations and implement restriction list processing when creating a new managed resource share. To use custom scripts for any of these functions, see Managed resource functions.

To update a managed resource type domain object (Object Browser)

Open the Object Browser.
In the Navigation view, locate and select QAMManagedResourceTypeDomain | Managed Resource Type Domain.
In the Managed Resource Type Domains result list pane, click the Insert toolbar button or right-click command.
In the new Managed Resource Type Domains page (right pane), specify the following:
- UID_ADSContainer: Use the drop-down menu to select the Active Directory container to use for managed group creation for a given managed resource type in the specified Active Directory domain.
- UID_ADSDomain: Use the drop-down menu to select the Active Directory domain this object applies to.
- UID_FileOperationsServerTag: Use the drop-down menu to select the Server tag (Server Function) that identifies which job servers can fulfill functions involving file operations. That is, operations involving the creation of folders and shares on managed hosts. If this parameter is not specified, the Data Governance connector (QAM-Connector-DGE server function) is used. For more information on using a custom script to locate the job server, see Managed resource functions.
- UID_FullControlGroup: Use the drop-down menu to select the full control group to be used to provide administrative access to new file shares that are created.
- UID_QAMManagedResourceType: Use the drop-down menu to select the managed resource type. By default, Simple Share is the only value available.
Click the Save toolbar button to save your selections.

The new managed resource type domain object appears in the Managed Resource Type Domains result list pane.

To update a managed resource type domain object (PowerShell)

If necessary, import the QAM.Client.PowerShell.dll assembly:

Import-Module "<path>"

Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".
Run the following cmdlet to add a new managed resource type domain:

Add-QManagedResourceTypeDomain -ManagedResourceTypeID <String> -DomainID <String> [-ContainerID [<String>]] -FullControlGroupID <String> [-FileOperationsServerTagID [<String>]]
- ManagedResourceTypeID: Enter the ID assigned to the managed resource type (Simple Share) associated with this object.
- DomainID: Enter the ID assigned to the Active Directory domain this object applies to (UID_ADSDomain in ADSDomain table).
- ContainerID: (Optional) Enter the ID assigned to the Active Directory container to use for managed group creation for the specified managed resource type in the specified Active Directory domain (UID_ADSContainer in ADSContainer table)
- FullControlGroupID: Enter the ID assigned to the full control group to be used to provide administrative access to new file shares that are created.
- FileOperationsServerTagID: (Optional) Enter the value assigned to the Server tag (Server Function) that identifies which job servers can fulfill functions involving file operations. That is, operations involving the creation of folders and shares on managed hosts. Enter the value assigned to the server tag when it was created, which may be an ID, such as QAM-Connector-DGE, for predefined server tags or a GUID for custom server tags. If this parameter is not specified, the Data Governance connector (QAM-Connector-DGE server function) is used. For more information on using a custom script to locate the job server, see Managed resource functions.
For more information, see Managed resource type domain object management.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Identity Manager Data Governance Edition 8.0.1 - IT Shop Resource Access Requests User Guide

Share creation requests

Setting up share creation requests

Specifying target machines

Updating managed resource type domain with full control group and Active Directory container

Updating managed resource type domain object with full-control group and Active Directory container