Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - IT Shop Resource Access Requests User Guide

Introduction Resource access requests Share creation requests Appendix: PowerShell commands About us

Managed resource types

A managed resource type contains various default settings for a type, which is a logical distinction that can be used to refine the concept of a "file share" into different business specific groupings.

By default, a single managed resource type, Simple Share, is provided with Data Governance Edition. The settings for the Simple Share managed resource type can be found in the QAMManagedResourceType table in One Identity Manager. Take note of the following settings:

  • Default server selection script: This setting specifies the default server selection script to be used to determine an eligible server to create the new file share on. Default value: QAM-492C2929FD77ED478EA6BA3EB40774C2

    Note: If this parameter is not specified, no script is run and during the approval process, the Data Governance Administrator must manually select a target managed host.

  • Full control add to group: This setting points to the managed group template being used to create the Active Directory group where the full control group is to be added to provide administrative access to a new share when it is created. Default value: G-[costcenter]-[random]-FC

    Note: If this parameter is not specified, the specified full control group is not added to the Active Directory group that provides administrative control for the new file share when it is created.

  • Recipient add to group: This setting points to the managed group template being used to create the Active Directory group where the recipient will be added to provide access to a new share when it is created. Default value: G-[costcenter]-[random]-RW

    Note: If this parameter is not specified, the recipient will not be added to the group when it is created and will be denied access to the newly created file share. The recipient can use the IT Shop to request access to the new file share, which will also set this value.

Note: If you are using the Simple Share managed resource type and need to modify the default settings, use the Object Browser (QAMManagedResourceType) or Windows PowerShell (Set-QManagedResourceType).

The "Simple Share" managed resource type is used in a pre-generation step in the current process chain. Therefore, it is recommended that you do not rename or remove this managed resource type. If you change the name of this managed resource type, you need to modify the process chain, either removing or modifying this pre-generation check step as appropriate.

Note: If you are adding a new managed resource type, you must implement your own IT Shop product and process chain. The current configuration and process chain are intended for creating new file shares.

Adding a resource type

Before you begin:

To add a resource type (Object Browser)

  1. Open the Object Browser.
  2. In the Navigation view, locate and select QAMManagedResourceType.
  3. In the Managed Resource Type result list pane, click the Insert tool bar button or right-click command.
  4. In the new Managed Resource Type page, specify the following:

    • UID_ContainerAERole: (Optional) Specify the name of the parent container where newly created roles are to be stored when the business owner type is set to role-based (value of 0). If this parameter is not specified, no parent container is created. When no parent container is specified, all roles created are placed under the "Data Governance" role.

      NOTE: The default configuration has a parent role called "Managed Resources" set as the default.
    • UID_DefaultSelctionScript: Use the drop-down menu to select the default server selection script to be used to determine an eligible server to create the share on.
    • UID_FullCtrAddToGroup: Use the drop-down menu to select the managed group template being used to create the Active Directory group where the full control group will be added to provide administrative control over new shares that are created.
    • UID_RecipientAddToGroup: Use the drop-down menu to select the managed group template being used to create the Active Directory group where the recipient will be added to provide access to a new share when it is created.
    • BusinessOwnerType: By default, the business ownership for a managed resource is set to Role. Use the drop-down menu to change this to Person if necessary.

      NOTE: If you used the managed resource functionality to create simple shares in Data Governance Edition version 7.0.1, the default is set to Person.

      The Role default setting is only used for new Data Governance Edition version 7.0.2 (or higher) installations and for upgraded installations if the managed resource functionality was never used.

    • Description: (Optional) Enter a description for the managed resource type.
    • Name: Enter the name to be assigned to the managed resource type.
    • PublishToITShop: Indicate whether the managed resource should be added to the IT Shop after it is created.
    • SetRestrictionList: This is set to False by default indicating no restriction list is associated with managed resources of this type when they are created. Use the drop-down menu to change this to True if you want to set a restriction list for managed resources of this type when they are created. For more information on the default restriction list or on implementing a custom restriction list, see Restricting access to managed resources.

    Note: UID_QAMManagedResourceType: This value is automatically generated by One Identity Manager.

  5. Click the Save tool bar button to save your selections.

    The newly created managed resource type appears in the Managed Resource Types result list pane.

To add a managed resource type (PowerShell)

  1. If necessary, run the following cmdlet to import the QAM.Client.PowerShell.dll assembly:

    Import-Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

  2. Run the following cmdlet to add a new managed resource type:

    Add-QManagedResourceType -Name <String> [-Description [<String>]] [-FullControlAddToGroupID [<String>]] [-RecipientAddToGroupID [<String>]] [-PublishToITShop] [<Boolean>]] [-SetRestrictionList [<Boolean>]] [-ServerSelectionScriptID [<String>]] [-ContainerAERole [<String>]] [-BusinessOwnerType <Int32>]]

    • Name: Enter the name to be assigned to the managed resource type.
    • Description: (Optional) Enter a description for the managed resource type.
    • FullControlAddToGroupID: Specify the ID (GUID format) for the managed group template used to create the full control group.
    • RecipientAddToGroupID: Specify the ID (GUID format) for the managed group template used to create the group where the recipient is to be added to.
    • PublishToITShop: Specify this parameter if you want the managed resource published to the IT Shop after it is created.
    • SetRestrictionList: This is set to false by default indicating no restriction list is associated with this type of managed resource. Specify this parameter with a value of $true to set a restriction list for this type of managed resource after a resource is created. For more information on the default restriction list or on implementing a custom restriction list, see Restricting access to managed resources.
    • ServerSelectionScriptID: Specify the ID of the server selection script to be used to determine an eligible server to create the share on.
    • ContainerAERole: (Optional) Specify the name of the parent container where newly created roles are to be stored when the business owner type is set to role-based (value of 0). If this parameter is not provided, no parent container is created. When no parent container is specified, all roles created are placed under the "Data Governance" role.

      NOTE: The default configuration has a parent role called "Managed Resources" set as the default.
    • BusinessOwnerType: By default, this is set to role-based ownership (value of 0). Specify this parameter with a value of 1 to change the business ownership to person-based.

      NOTE: If you used the managed resource functionality to create simple shares in Data Governance Edition version 7.0.1, the default is set to Person.

      The Role default setting is only used for new Data Governance Edition version 7.0.2 (or higher) installations and for upgraded installations if the managed resource functionality was never used.

For more information, see Managed resource type management.

Next steps:

Type group permissions objects

Once you have built your group hierarchies (managed group templates) and defined your managed resource types (Simple Share in default configuration), you must link the required permissions object to define the root level group for creating a managed resource.

By default, Data Governance Edition has defined the following group permission objects, which are available in the QAMTypeGroupPermissions table in One Identity Manager:

  • L-[costcenter]-[random]-FC - Simple Share
  • L-[costcenter]-[random]-R - Simple Share
  • L-[costcenter]-[random]-RW - Simple Share

Adding a type group permissions object

Before you begin:

To add a type group permissions object (Object Browser)

  1. Open the Object Browser.
  2. In the Navigation view, locate and select QAMTypeGroupPermissions.
  3. In the Type Group Permissions result list pane, click the Insert tool bar button or right-click command.
  4. In the new Type Group Permissions page, specify the following:

    • UID_QAMManagedGroupTemplate: Use the drop-down menu to select the managed group template to be used to create the root level group for a managed resource.

    • UID_QAMManagedResourceType: Use the drop-down menu to select the managed resource type to be associated with this object.
    • Permission: Use the drop-down menu to select the type of permission: Read, Read Write, or Full Control.
  5. Click the Save tool bar button to save your selections.

    The new type group permissions object appears in the Type Group Permissions result list pane.

To add a type group permissions object (PowerShell)

  1. If necessary, import the QAM.Client.PowerShell.dll assembly:

    Import-Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

  2. Run the following cmdlet to add a new type permissions object:

    Add-QTypeGroupPermissions -ManagedResourceTypeID <String> -ManagedGroupTemplateID <String> [-Permissions] [<Int32>]]

    • ManagedResourceTypeID: Enter the ID of the managed resource type this object is to be associated with.
    • ManagedGroupTemplateID: Enter the ID of the managed group template to be used to create the root level group for a managed resource.
    • Permissions: Specify the type of permission to be assigned:
      • 0: Read (Default)
      • 1: Read Write
      • 2: Full Control

For more information, see Type group permissions object management.

Group naming patterns

Since organizations have different rules for naming groups, Data Governance Edition allows you to add literal values and variables to the group naming pattern to dynamically construct a new Active Directory group name. Upon creation of the actual group, any variable specified in the pattern is then replaced with actual values to create a unique group name. The default group naming patterns are specified in the Managed group templates used to define the Active Directory groups to be created to fulfill self-service share creation requests. In addition, as part of the approval process, the Data Governance Administrator can edit the group naming pattern for the Active Directory groups to be created.

The default group name patterns provided with Data Governance Edition are:

  • Domain Local group (Full Control): L-[costcenter]-[random]-FC
  • Global group (Full Control): G-[costcenter]-[random]-FC
  • Domain Local group (Read): L-[costcenter]-[random]-R
  • Global group (Read): G-[costcenter]-[random]-R
  • Domain Local group (Read/Write): L-[costcenter]-[random]-RW
  • Global group (Read/Write): G-[costcenter]-[random]-RW

The following variables have been defined allowing you to define a group naming pattern to dynamically construct a new Active Directory group name.

Table 2: Group name pattern variables
Variable Description
[costcenter]

Sample name pattern resolver that retrieves the short name of the cost center associated with the person who made the request.

NOTE: If the requestor does not have a cost center assigned, this variable resolves to a blank.
[dept]

Sample name pattern resolver that retrieves the short name of the department associated with the person who made the request.

NOTE: If the requestor does not have a department assigned, this variable resolves to a blank.
[random] Sample name pattern resolver that generates a random number, between 1 and 999999.
[ShareName] A variable that retrieves the name assigned to the file share.

Note: To add additional group name pattern resolvers, use the Object Browser (QAMNamePatternResolver) or Windows PowerShell (Add-QNamePatternResolver). For more information, see Name pattern resolvers.. For more information on adding and testing scripts, see the One Identity Manager Configuration Guide.

To add a variable to a group naming pattern during the approval process:

  1. On the Permissions page of the New File Share dialog, click Edit to the right of the group name to be changed.
  2. On the Group Name dialog, use the Group name pattern field to construct your naming pattern, which can consist of literal values and variables.

    Note: Variables are enclosed in square brackets [ ] in the Group name pattern field. If you enter a variable that does not exist as a name pattern resolver, it will show as a literal in your group name.

  3. To add a variable, place your cursor within the naming pattern where the variable is to be inserted and enter the variable enclosed in square brackets (for example, [dept]).

    Note: Clicking a variable in the Macro list appends the selected variable to the end of the group naming pattern, regardless of where your cursor is located in the string.

  4. Once you have constructed the naming pattern, click the Resolve button to view the unique Active Directory group name created.
  5. Click OK to save your selection and close the dialog.

    Both the group naming pattern and the resolved group name appear on the Permissions page of the New File Share dialog.

Name pattern resolvers

Data Governance Edition allows you to define your own name pattern resolver scripts, which define the variables that can be added to a group naming pattern. These variables can then be used when building or modifying managed group templates. In addition, during the approval process, available variables are listed on the Group Name dialog when editing the group naming pattern to dynamically construct unique Active Directory group names for the new managed resource.

By default, the following sample name pattern resolver scripts are provided with Data Governance Edition and are available in the QAMNamePatternResolver table:

  • costcenter
  • dept
  • random

Adding name pattern resolvers

Before you begin
  • Use the Designer to write and compile the name pattern resolver script and commit it to the One Identity Manager database.

    Note: Name pattern resolver scripts must have a particular signature or they will fail at run time. These scripts are functions that take one parameter, the UID of the PersonWantsOrg record for this request, as a string and returns a string. For example:

    Public Function Foo(ByVal UID_PersonWantsOrg As String) As String

    The string value returns as UID_QAMNode.

To add a name pattern resolver (Object Browser)

  1. Open the Object Browser.
  2. In the Navigation view, locate and select QAMNamePatternResolver.
  3. In the Name Pattern Resolver result list pane, click the Insert tool bar button or right-click command.
  4. In the new Name Pattern Resolver page, specify the following:

    • UID_DialogScript: Use the drop-down menu to select from a list of previously defined scripts.
    • NamePatternVariable: Enter the name of the variable associated with this script that can be used in the group naming pattern.

    Note: UID_QAMNamePatternResolver: This value is automatically generated by One Identity Manager.

  5. Click the Save tool bar button to save your selections.

    The new name pattern resolver appears in the Name Pattern Resolver result list pane.

To add a name pattern resolver (PowerShell)

  1. If necessary, run the following cmdlet to import the QAM.Client.PowerShell.dll assembly:

    Import-Module "<path>"

    Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".

  2. Run the following cmdlet to add a new server selection script:

    Add-QNamePatternResolver -DialogScriptID <String> -NamePatternVariable <String>

    • DialogScriptID: Enter the ID (GUID format) assigned to the name pattern resolver script when it was created.
    • NamePatternVariable: Enter the name of the variable associated with this script that can be used in the group naming pattern.

For more information, see Name pattern resolver management.

Related Documents