Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Restricting access to self-service resource access requests

There are various ways of restricting who can see (and consequentially request access to) governed data that has been published to the IT Shop. These include:

  • Defining a restriction list based on organizational structure (department, location or cost center).
  • Explicitly marking groups for exclusion.
  • If the Business Roles module is purchased and installed, defining a restriction list based on business roles.

Note: Ask your Data Governance Administrator to set up a restriction list or mark groups to restrict access to your governed data.

Restriction list based on organizational structure

By defining a restriction list, only those employees who are in the specified departments, cost centers or geographical locations are able to see (and request access to) a governed resource.

Note: Organizational inheritance is not supported. Each required level of an organizational structure must be added to the restriction list.

To restrict access to a resource in the IT Shop (Data Governance Administrator)

  1. In the Manager, open the Governed data view.

    • From the Data Governance navigation view, select Governed data.
    • From the Managed hosts view, navigate to the required managed host, select Governed data from the Tasks view or right-click menu.
  2. Select the required resource and select Change governed resource master data in the Tasks view or right-click menu.
  3. Select Assign organizations in the Tasks view or right-click menu.

    The Organizations assignment page appears, which consists of three tabbed pages (Departments, Locations, and Cost centers) allowing you to select from a list of previously defined organizational assignments.

  4. Use the different tabs to define who can see (and request access to) the selected resource. In the lower pane of the tabbed pages, double-click the departments, locations or cost centers to be assigned to the resource. The employees not assigned through the assignment page are restricted from seeing or accessing the resource through the IT Shop.
  5. When finished with the assignments, click the Save tool bar button.

To restrict access to an owned resource in the IT Shop (Only for Business Owners who also have Data Governance Administrator role)

Note: Business owners who have both the Data Governance\Administrators and Data Governance\Direct Owners application roles assigned, can use the web portal to define who can see and access owned resources.

  1. Log on to the One Identity Manager web portal.
  2. From the menu bar, select Responsibilities | My Responsibilities.
  3. On the My Responsibilities view, select the Governed Data tile.
  4. On the Governed Data view, select a governed resource.
  5. Click the Master data tab.
  6. At the bottom of the properties page, click the Assign button to the right of Departments, Locations, or Cost centers.

    Note: You can also restrict access based on Business Roles or One Identity Manager application roles.

  7. On the Assign dialog, use the left pane to select the organizational assignment to be assigned to the selected resource.

    Once selected, the assignment appears in the Assigned pane (right pane) and the icon to the left of the assignment changes to a check mark. To remove an assignment, select the assignment in the Assigned pane. The icon to the left of the assignment changes back to an X and is removed from the Assigned pane.

    Click OK to save your selections and close the Assign dialog.

  8. When finished with the assignments, click the Save button.

Explicit exclusion of groups

You may want to mark certain groups as being ineligible for self-service requests, especially when Data Governance Edition is configured to allow for non-published groups to be presented. In this case, it is possible to mark either specific groups, or all groups within a particular Active Directory container as being ineligible for access requests.

To explicitly exclude groups

Note: Modifying the registry can cause serious issues. Ensure that when making these changes, only the described keys are modified.

  1. On the Data Governance server, navigate to the following registry key using regedit.exe:

    HKEY_LOCAL_MACHINE\Software\One Identity\Broadway\Server\DeploymentData\SelfService\ExclusionByDN

    Note: The "DeploymentData" and "SelfService" subkeys may not exist. If these keys are not present, they should be created.

  2. Beneath the ExclusionByDN key, create string values whose names match the distinguished name of the groups that are to be excluded.

    To exclude an entire container of groups, specify the distinguished name of the container, with an asterisk ("*") prefix. For example to exclude all groups in the Users container of example.com, use the following syntax: "*CN=Users,DC=example,DC=com".

Restriction list based on business role

The Business Role module is an optional module that can be purchased with One Identity Manager. If this module is installed (selected on the Module selection page of the Setup wizard), you can restrict employees from seeing (and consequentially requesting access to) governed data that has been published to the IT Shop based on their business role assignments.

By defining a business role restriction list, only those employees who are assigned the selected business roles are able to see and request access to a governed resource.

To restrict access to a resource in the IT Shop (Data Governance Administrator)

  1. In the Manager, open the Governed data view.

    • From the Data Governance navigation view, select Governed data.
    • From the Managed hosts view, navigate to the required managed host, select Governed data from the Tasks view or right-click menu.
  2. Select the required resource and then select Change governed resource master data in the Tasks view or right-click menu.
  3. Select Assign business roles in the Tasks view or right-click menu.

    The Business Roles assignment page appears allowing you to select from a list of business roles.

  4. In the lower pane, double-click the business roles to be assigned to the resource.
  5. When finished with the assignments, click the Save tool bar button.

To restrict access to an owned resource in the IT Shop (Only for Business Owners who also have Data Governance Administrator role)

Note: Business owners who have both the Data Governance\Administrators and Data Governance\Direct Owners application roles assigned, can use the web portal to define who can see and access owned resources.

  1. Log on to the One Identity Manager web portal.
  2. From the menu bar, select Responsibilities | My Responsibilities.
  3. On the My Responsibilities view, select the Governed Data tile.
  4. On the Governed Data view, select a governed resource.
  5. Click the Master data tab.
  6. Click the Assign button to the right of Business Roles.
  7. On the Assign dialog, use the left pane to select the business roles to be assigned to the selected resource.

    Once selected, the business role appears in the Assigned pane (right pane) and the icon to the left of the business role changes to a check mark. To remove a business role, select the business role from the Assigned pane. The icon to the left of the business role changes back to an X and is removed from the Assigned pane.

    Click OK to save your selections and close the Assign dialog.

  8. When finished with the assignments, click the Save button.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating