Access denied error
Access is denied to the new share, even though an email was received stating that the file share requested has been successfully created.
When configuring the IT Shop, the RecipientAddToGroup property in the QAMManagedResourceType table for the Simple Share managed resource type was not properly set.
That is, if you used the Object Browser and omitted to set the UID_RecipientAddToGroup (or used the Add-QManagedResourceType PowerShell cmdlet and omitted the -RecipientAddToGroup parameter), the recipient is not added to the appropriate group when it is created and therefore, is denied access to the new file share.
Use the IT Shop to request access to the new file share. This will set the property that was originally missing. Log out of the current session and log back in to ensure the change takes effect.
Customizing share creation requests
NOTE: The Resource Access shelf is available through the Identity & Access Lifecycle shop, which is included by default with the One Identity Manager installation. The File system access, SharePoint access and New file system share products are available in the Resource Access shelf by default. In the default installation, several approval policies are assigned to the Identity & Access Lifecycle shop; therefore, requests from this shop are run through predefined approval processes.
You can use the shop to request standard products or you can extend it by adding additional shelves, assigning requestable products, or by setting up your own IT Shop solution. You can also customize the approval processes, including approval policies and approval workflows. For more information on using and customizing the Identity & Access Lifecycle shop, see the One Identity Manager IT Shop Administration Guide.
The default configuration and process fulfills self-service share creation requests by creating new file system shares and granting access through group membership based on Microsoft best practices. This release of Data Governance Edition handles the basic fundamentals for creating file system shares which can be modified to meet your file system share creation needs. In addition, you can use the basic configuration provided as a basis for defining additional managed resource types and corresponding processes to fulfill self-service requests to these new managed resources.
Prior to modifying the default configuration for share creation requests or creating new managed resource types, it is very important that you understand the security model currently being used for self-service share creation requests:
- The security model: The default security model defines the groups to be created, parent-child relationships, permissions, and so on for creating new file system shares. The default security model can be modified for self-service share creation requests or can be used as a basis for defining your own security model for creating additional managed resource types.
Once you fully understand how the security model works, these components can be customized in addition to the security model:
- Group naming patterns: Group naming patterns consist of literal values and variables that are used to dynamically construct a new Active Directory group name. A group naming pattern is specified when building new managed group templates to define the default naming pattern to be used to create new Active Directory groups. Also, as part of the approval process, the Data Governance Administrator can edit the group naming pattern to ensure the groups created by the share creation request are named according to company standards.
- Name pattern resolvers: In addition to allowing you to edit the group naming pattern to be used, you can also create your own name pattern resolver scripts to define additional variables that can then be used in the group naming patterns. Data Governance Edition provides sample name pattern resolver scripts that can be used as a basis for defining your own name pattern resolver scripts.
- Server selection scripts: Data Governance Edition provides a default server selection script that randomly selects a managed host (QAMNode) to host a new file system share. You can, however, write your own server selection scripts to ensure the appropriate managed host is suggested.
- Mail templates: Data Governance Edition provides default email templates that can be modified to meet your company email standards. For information on modifying mail templates, see the One Identity Manager Configuration Guide.
- Managed resource functions: Data Governance Edition provides One Identity Manager scripts that can be indirectly invoked to satisfy a predefined extension point in the business logic defined within the managed resource process chain. These scripts allow you to modify the behavior of the function defined in a script instead of modifying or creating the actual process chain used to process and fulfill self-service requests to managed resources.
- Process chain (file system share creation): The share creation request and approval workflows are defined using a specific process chain, similar to other One Identity Manager processes. If necessary, this process can be modified by adding or removing steps in the default chain. In addition, if you create additional managed resource types, you can use this process chain as a basis for defining the process chain to be used to process and fulfill self-service requests to these managed resources. For more detailed information on modifying process chains, see the One Identity Manager Configuration Guide.
Note: When the Data Governance service first starts up, it writes the default managed resource data into the One Identity Manager database. This behavior is controlled by a registry key, HKEY_LOCAL_MACHINE\SOFTWARE\One Identity\Broadway\Server\ResourceTemplateDefaultData.
If you delete the default managed resource components in your Data Governance Edition deployment and replace them with new managed resource components, you must move or set this registry key if you move the Data Governance service to another machine to prevent the reloading of previously deleted default managed resource data.
If you modify the default managed resource components in your Data Governance Edition deployment, the data is retained if you move the Data Governance service to another machine.
For more information about this registry key, see the One Identity Manager Data Governance Edition Technical Insight Guide.
The security model
The default security model defines how and where new file system shares are created, including the Active Directory container where new shares are created, the Active Directory group hierarchy to be used to support ACLs for the new share, the resource type to be created (Simple Share in this release), and the permissions assigned to the Active Directory groups. Therefore, when customizing the security model used to process share creation requests, you must first understand the following objects:
Managed resource type domain object: As part of the set up process, in each managed domain, you specified the Active Directory container where new groups are to be created and the group to be given full administrative control to the share. For more information, see Updating managed resource type domain object with full-control group and Active Directory container.
Managed group templates: Managed group templates define how a hierarchy of Active Directory groups is to be created to support a managed resource (file share). In addition to the hierarchy, these templates define the default group naming pattern to be used to create new Active Directory groups and the type of group to be created. Data Governance Edition uses Microsoft best practices for creating and nesting groups to provide access to newly created file shares; however, you can build your own templates to define this group hierarchy and the group naming pattern to be used. For more information, see Managed group templates.
Managed resource types: A managed resource type contains settings that provide a logical distinction that can be used to refine the concept of "file share" into different business specific groupings. More specifically, it points to the managed group templates used to create the groups to be used to grant access and specifies the default server selection script to determine an eligible server to create the file share on. For more information, see Managed resource types.
NOTE: The current managed resource type, Simple Share, uses the default configuration and process chain to create file system shares. Therefore, if you add a new managed resource type, you will be required to implement your own IT Shop product and process chain to support that managed resource type.
Type group permissions object: The last piece of the security model is linking the proper permissions object to the managed resource template for a managed resource type. Data Governance Edition provides default type group permissions objects to support the default managed group templates and Simple Share managed resource type provided. You can, however, create your own type group permissions objects to correlate possible permissions and group hierarchies in your deployment. For more information, see Type group permissions objects.
Managed group templates
Building the managed group templates to be used to define the Active Directory group hierarchy and default group naming pattern is the first step in customizing the security model to be used for creating managed resources.
By default, Data Governance Edition uses Microsoft best practices for creating and nesting groups to support ACLs for file system shares. By default six groups, three Global groups and three Domain Local groups, are created specially for accessing a new share. The Global groups are nested within the Domain Local groups as defined by the following managed group templates, which are available in the QAMManagedGroupTemplate table in One Identity Manager:
In addition, by default the Global Read group (created based on the G-[costcenter]-[random]-R template) and Global Read Write group (created based on the G-[costcenter]-[random]-RW template) have the IsSelfServiceGroup flag set to $true. Therefore, these groups will be the only groups returned after Data Governance Edition runs the group membership calculation to determine the "best fit" groups that would provide the requested access to the managed resource.
Before you begin:
To build a managed group template (Object Browser)
- Open the Object Browser.
- In the Navigation view, locate and select QAMManagedGroupTemplate.
- In the Managed Group Templates result list pane, click the Insert toolbar button or right-click command.
In the new Managed Group Template page, specify the following:
UID_ParentGroup Template: Use the drop-down menu to specify the template of the parent group this group is to be nested under when it is created.
Note: If this is a top-level (parent) group, do not specify this parameter.
- Description: (Optional) Enter a brief description for the group.
- GroupNamingPattern: Enter the group naming pattern to be used when creating the group.
- GroupType: Use the drop-down menu to select the type of group to be created: Domain Local (default), Global or Universal.
IsSelfServiceGroup: Change this value to True if this group is to be available for self-service access requests in the IT Shop. That is, limit the "best fit" calculation to only include groups that have this flag set to $true.
Note: UID_QAMManagedGroupTemplate: This value is automatically generated by One Identity Manager.
Click the Save toolbar button to save your selections.
The newly created managed group template appears in the Managed Group Templates result list pane.
To build a managed group template (PowerShell)
If necessary, import the QAM.Client.PowerShell.dll assembly:
Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".
Run the following cmdlet to add a new managed group template:
Add-QManagedGroupTemplate -GroupNamingPattern <String> [-Description[ [<String>]] [-GroupType] [-Int32>]] [-ParentGroupTemplateID] [<String>]] [-IsSelfServiceGroup [<Boolean>]]
For more information, see Group template management.