Creating and specifying share root paths
In addition to specifying the target machines, you must also specify the share root paths where new shares are to be created.
On each server that is hosting a target local managed resource host, identify an existing root folder or create a root folder where you want shares created under. For example, C:\ShareRoot.
Note: Make note of the UNC resolvable path to that folder. For example, if C:\ShareRoot is not shared, the path would be c$\ShareRoot.
To specify share root paths
Use the Object browser or Windows PowerShell to specify the share root paths where shares are to be created.
- Open the Object Browser.
- In the Navigation view, locate and select QAMManagedShareRootPaths.
- In the Managed Share Root Paths result list pane, click the Insert toolbar button or right-click command.
- In the new Managed Share Root Paths page, specify the following:
Note: UID_QAMManagedShareRootPath: This value is automatically generated by One Identity Manager.
Click the Save toolbar button to save your selection.
The new managed share root path appears in the Managed Share Root Paths result list pane.
On the Data Governance server, run the following PowerShell cmdlet, changing the -QAMNodeID and -RootPath values appropriately:
Add-QManagedShareRootPath -QAMNodeID "ManagedHost ID" -RootPath "c$\ShareRoot"
For more information, see Add-QManagedShareRootPath.
Share root path management
Edit Active Directory group insertion process parameters
Use the Designer to enable retries for ADS_ADSGroup_Insert process.
Open the Designer.
In the Navigation view, locate and select Process Orchestration.
Select Processes | ADSGroup | ADS_ADSGroup_Insert.
Click on Insert Group process step in the Process Overview form.
In the Process step properties view, click on Error handling.
Select the checkbox corresponding to Wait mode on error.
Enter a value greater than 1 for both Latency[min] and Retries.
Note: These values can vary depending on the environment.
Commit the changes to the main database. Use the Database | Commit to database menu item.
Once the changes are committed to the main database, compile the database. Use the Database | Database Compiler menu item.
Restricting access to managed resources
Data Governance Edition provides a default restriction list processing subroutine that runs as part of the QAM Create DGE Managed Resource process chain used to create a managed resource share. By default, no restriction list is set; however, you can enable the SetRestrictionList parameter on the QAMManagedResourceType record to automatically create a restriction list based on the department, location and cost center organizational properties of the requester's Person record. That is, with the SetRestrictionList parameter enabled:
- If the requester has a location set, set a restriction on that location.
- If the requester has a department set, set a restriction on that department.
- If the requester has a cost center set, set a restriction on that cost center.
For example, if the person submitting the share creation request has a department defined on their Person record, this department is added to the restriction list. Meaning the new share will only be available for access requests by users belonging to that same department as defined by their Person record. Keep in mind, using the default restriction list processing subroutine means that if the requester has more than one of these organizational properties set (for example, location, department and cost center), all of these organizational properties are added to the restriction list and users must match all of these restrictions in order to request access to the new share.
If the default restriction list processing subroutine does not meet your needs, you can replace it with a custom script. For more information, see Managed resource functions.
To enable the default restriction list processing subroutine for the Simple Share resource type (Object Browser)
- Open the Object Browser.
- In the Navigation view, locate and select QAMManagedResourceType.
- In the Managed Resource Types result list, select Simple Share.
- In the Simple Share (ManagedResourceType) page (right pane), set the SetRestrictionList value to True.
- Click the Save toolbar button to save your selection.
To enable the default restriction list processing subroutine for the Simple Share resource type (PowerShell)
If necessary, run the following cmdlet to import the QAM.Client.PowerShell.dll assembly:
Where <path> is the file path for the QAM.Client.PowerShell.dll assembly. By default, the <path> for the Data Governance server machine is "C:\Program Files\One Identity\One Identity Manager\QAM.Client.PowerShell.dll".
Run the following cmdlet to enable the SetRestrictionList parameter for the Simple Share managed resource type:
Set-QManagedResourceType -ID <UID_QAMManagedResourceType Value> -SetRestrictionList $true
- Id: Specify the ID of the Simple Share managed resource type.
- SetRestrictionList: By setting this value to $true, a restriction list is set for this type of managed resource.
For more information, see Set-QManagedResourceType.
To view organizational properties automatically added to the restriction list (Manager)
When a new file share is created through a self-service request in the IT Shop, you can use the Manager to view the organizational structure restrictions applied.
- Open the Manager.
- Select Data Governance | Managed hosts from the navigation view.
- Select the required managed host and select Governed data from the tasks view or right-click menu.
Locate and double-click the resource that is published to the IT Shop.
The Change master data view for the resource appears.
Select Assign organizations from the tasks view or right-click menu.
The Organization assignments page appears, which consists of three tabbed pages (Departments, Locations, and Cost centers). Organization properties used to restrict access to the share will be listed in the top pane of each of these tabs.
Requesting the creation of a file system share
All active employees automatically become members of the Identity & Access Lifestyle shop, which is installed by default, and can therefore make requests, including file system creation requests.
You submit a self-service share creation request using the Resource Access service category in the One Identity Manager web portal. Selecting the Resource Access service category displays a Request page allowing you to request the creation of a file system share.
To request the creation of a new share
- Log on to the One Identity Manager web portal.
From the Home (Welcome) page, click Start a new request.
The Request view appears, which displays the available service categories.
Select the Resource Access service category.
The Request page appears.
NOTE: By default, the recipient is the employee currently logged into the web portal. To change the recipient list, click Change to the right of the Recipient field. In the Recipient dialog, select the employees to be added to the recipient list. To remove an employee from the recipient list, select their name from the Selected pane at the bottom of the Recipient dialog.
Click Request in the Request column to the right of the New file system share product.
TIP: You can also select the check box to the left of the New file system share product in the grid and click Submit Request now button located in the lower right corner of the page.
- In the Requesting new file system share dialog, enter the following information:
- Name for the new file share
- Purpose for the new file share
The Allow others in your organization to be able to request access to this resource option is selected by default, making the share available to others through the IT Shop. If you do not want others in your organization to request access to this share, clear this check box.
The My Shopping Cart page appears, where a New file system share request is listed along with the recipient and status.
Note: If you need to return to your shopping cart (for example, your session times out before you have completed your request submission), select Requests not yet submitted from the Home page. You can also click the shopping cart icon ( ) in the upper right corner of the page and select Shopping Cart.
Click the Submit button to validate whether the requestor has the permissions required to make the requests in your shopping cart and submit the requests for approval processing.
The Shopping Cart page closes and a "The request was successfully submitted" message appears at the top of the My Shopping Cart page.
Click View the request history to display the Request History page to track the current status of your requests.
NOTE: If you made the request for other employees (that is, changed the recipients list on the Request page), click the Advanced search button. Modify the Display requests options by selecting the Requests submitted by you for others check box and click the Search button.
Approving share creation requests
All IT shop requests are subject to a defined approval process where authorized employees grant or deny approval for the request. A share creation request approval workflow is a two-step process. First the employee's manager approves the request. Once the manager approves the request, the Data Governance Administrator specifies the server that will host the new share and the groups to be created to provide access.
Note: If an employee does not have a manager assigned, that approval step is bypassed and the request goes directly to the Data Governance Administrator.
For managers and Data Governance Administrators, all pending requests appear in the following locations in the One Identity Manager web client:
- Home (Welcome) page: Pending requests
- My Actions view: (Request | My Actions | Pending Requests)