立即与支持人员聊天
与支持团队交流

Identity Manager Data Governance Edition 9.2.1 - IT Shop Resource Access Requests User Guide

One Identity Manager Data Governance Edition IT Shop Resource Access Requests User Guide Resource access requests Share creation requests PowerShell commands

Wrong group displayed for Share access request

On the Pending Request page of the web portal, it appears that the wrong group was assigned to a Share access request, and no other appropriate groups are available.

Cause

The most likely cause for this scenario has to do with whether you selected to use the backing folder security when placing the share under governance. That is, if you selected the Use backing folder security for self-service option when placing the share under governance (default), then the backing folder security is used for the share. However, if you cleared the Use backing folder security for self-service option when you placed the share under governance, then the share permissions are used for the share.

See the Resolution to determine which permissions are being used.

Resolution

Use the Object Browser to review the properties for the governed share resource in the QAMDuG table. There should be two entries for this governed share in the QAMDuG table; one entry for the share and one entry for the backing folder.

  1. In the navigation pane, locate and select QAMDuG | Data objects under governance.
  2. In the Data objects under governance result list, select the share resource and verify the following properties:
    • DisplayPath: <Share's path>
    • UID_QAMResourceType: Windows Computer\Share
  3. Locate the UseFolderForITShop flag, which contains either a True or False value:
    • True: Data Governance Edition uses the backing folder security for the share. That is, the Share permissions do not matter.

    • False: Data Governance Edition uses the Share permissions for the share.

    Note: By default, this value is set to True for shares. That is, the Use backing folder security for self-service option was selected when you placed a share under governance. You must clear this option to use the Share permissions.

  4. Once you have verified that the correct permissions (backing folder security or Share permissions) are being used, modify the permissions as required to define access rights that match the request.
  5. It is best to deny the original request and have the requestor submit a new resource access request.

Customizing resource access requests

NOTE: The Resource Access shelf is available through the Identity & Access Lifecycle shop, which is included by default with the One Identity Manager installation. The File system access, SharePoint access and New file system share products are available in the Resource Access shelf by default. In the default installation, several approval policies are assigned to the Identity & Access Lifecycle shop; therefore, requests from this shop are run through predefined approval processes.

You can use the shop to request standard products or you can extend it by adding additional shelves, assigning requestable products, or by setting up your own IT Shop solution. You can also customize the approval processes, including approval policies and approval workflows. For more information on using and customizing the Identity & Access Lifecycle shop, see the One Identity Manager IT Shop Administration Guide.

A series of suitability calculators are used to determine the "best fit" groups for providing access to NTFS and SharePoint resources. These suitability calculators can be found in the DataGovernanceEdition.Service.exe.config file in the Data Governance service directory. These calculators cannot be modified; however, the multipliers used in the calculators can be modified to customize the weight information to rank a group. In addition, you can define your own suitability calculator to be used for self-service operations. The following topics explain how to implement these customizations:

Prior to making changes to the default suitability calculators, it is recommended that you review and understand how Data Governance Edition determines the "best fit" groups:

Modifying the calculators

The "best fit" group is determined through a series of calculators that work on various criteria. Each calculator returns a value in the range of -2 to +2:

  • VeryBad (-2)
  • Bad (-1)
  • Neutral (0)
  • Good (+1)
  • VeryGood (+2)

If the value is positive, it is multiplied by the calculator's positive multiplier and added to the total, increasing it. If the value is negative, the value is multiplied by the calculator's negative multiplier and added to the total, decreasing it. The total after all the calculators have been run is used to rank the groups from which the business owner can select. The group with the highest total is marked as the "best fit" group.

Note: Multiple suitability calculators can be run against the same group information, and then weighted with their own specific multipliers to give the group a ranking among other groups to determine what the "best fit" group is for access request self-service operations.

The calculators cannot be changed, but you can modify the positive and negative multipliers by changing values in the DataGovernanceEdition.Service.exe.config file in the Data Governance service directory (%ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server). Review comments for multipliers in the configuration file to find information on how the values are determined. To remove a calculator, simply set both its positive and negative multipliers to 0.

Note: Keep in mind that the multiplier values are only relative to one another. If you doubled all the multipliers, there would be no change in the resulting set of groups returned to the user. If you want your desired criteria to be considered more important, set the multipliers on those calculators to be higher relative to the rest.

In addition, the following configuration options, also in the configuration file, affect what groups are shown to the business owner:

  • SelfService.SuitabilityThreshold (Default: 100).

    This value determines the lowest possible suitability score that can be returned by the self-service access request. Any group whose calculated suitability falls below this threshold is not displayed to the business owner.

  • SelfService.AllowNonPublishedGroups (Default: false) and SelfService.AllowUnsynchronizedGroups (Default: false).

    These values prevent any groups that are not synchronized by One Identity Manager or not published to the IT Shop from displaying in the self-service options in the web portal.

For more detailed information about the self-service suitability calculation multipliers and self-service configuration options, see the One Identity Manager Data Governance Edition Technical Insight Guide.

Creating a group suitability calculator

Note: You can create a calculator in any .NET compatible language. The following example is based on a C# implementation.

To create the calculator

  1. Start a new "Class Library" project in your editor.

    Note: Ensure that the project is compiling for .NET v3.5 or lower. When run in context with the Data Governance server, .NET v4.5.1 or lower is used.

  2. Add references for the following Data Governance assemblies (they are located in the %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server folder):
    • QAM.Common.Interfaces.dll

    • QAM.Common.Shared.dll

    • QAM.Server.Util.dll

  3. Author a class that derives from the QAM.Server.Util.SelfService.BaseGroupSuitabilityProcessor class.

    This base class implements the QAM.Server.Util.SelfService.IDetermineGroupSuitability interface, which is required for subsequent steps.

  4. Override the base class’ Execute() method, and in this method enter the SuitabilityDelta property. This is an enumeration which contains values ranging from VeryBad to VeryGood:
    • VeryBad
    • Bad
    • Neutral
    • Good
    • VeryGood
    • Ineligible (This removes the group as a contender.)

    Based on this criteria, a group is scored high or low and weighted up or down with the PositiveMultiplier and NegativeMultiplier properties.

  5. Author a class that implements the QAM.Server.Util.SelfService.IDetermineGroupSuitabilityFactory interface. The one method in this interface should return an instance of the first class; the one that implements IDetermineGroupSuitability.

    Once you have implemented the two classes, compile the DLL and place it in a folder on the Data Governance server. To instruct the Data Governance server to use this calculator to determine the best groups for self-service requests, create a plugin file in the %Program Files%\One Identity\One Identity Manager Data Governance Edition\Server folder.

    Note: A file called "base.SuitabilityCalculators.xml" exists, because it is shipped with the Data Governance server. Unless you need to disable an existing calculator, it is recommended not to modify this file.

  6. Create a file in the server folder named [CustomName].SuitabilityCalculators.xml.

    The content should look like the following: 

    Where the value of the Assembly attribute is the name (or full path) to the assembly containing your custom Group Suitability Calculator factory class and the value of the Type attribute is the fully qualified Namespace.Classname of your Group Suitability Calculator factory class. If the Assembly path is not absolute, it is interpreted as being relative to the %Program Files%\One Identity\One Identity Manager Data Governance Edition\Server folder.

    The values in the <Property> nodes can be any resource namespace or fully qualified resource type that Data Governance Edition supports, although self-service requests can currently be made for only files, folders, shares, and SharePoint resources.

  7. Once you restart the Data Governance server, the new calculator is used for self-service requests.

Example implementation of class deriving from BaseGroupSuitabilityProcessor

/// <summary>

/// A simple suitability calculator to show how to influence group scores for self-service operations

/// </summary>

public classMyCalculator : QAM.Server.Util.SelfService.BaseGroupSuitabilityProcessor

{

/// <summary>

/// Initializes a new instance of the MyCalculator class

/// </summary>

/// <param name="targetGroup">

/// The group to be associated with this instance of this calculator

/// </param>

public MyCalculator(QAM.Common.Interfaces.AccessSelfServiceGroupInformation targetGroup)
: base(targetGroup)

{

// Optionally set our multipliers. This can also be done in the

// DataGovernanceEdition.Service.exe.config file

// like this:

//

// <add key="MyCalculator.PositiveMultiplier" value="1000000"/>

// <add key="MyCalculator.NegativeMultiplier" value="100"/>

//

// It can be advantageous to set these values in the configuration file so that

// a recompile is not necessary to change the weighting of the calculator.

//

// The default multiplier is 100, so this one will drastically boost the score

// of this calculator

this.PositiveMultiplier = 1000000;

this.NegativeMultiplier = 100;

}

/// <summary>

/// At the end of the execution of this method, the SuitabilityDelta property should be filled in.

/// </summary>

public override void Execute()

{

// Using the Target group, determine on a scale of -2 to +2 how suitable it is,

// or if it should be marked as completely ineligible.

//

// For this example, we will give groups that contain the string "Read" a super-high

// boost based on our "very good" score and the positive multiplier of one million.

// If they do not meet this arbitrary requirement of containing "Read", we will mark

// the group as ineligible.

int indexOfRead = this.TargetGroup.SamAccountName.IndexOf(

"Read",

System.StringComparison.OrdinalIgnoreCase);

if (-1 < indexOfRead)

{

this.SuitabilityDelta =

QAM.Server.Util.SelfService.GroupSuitabilityModifier.VeryGood;

}

else

{

this.SuitabilityDelta =

QAM.Server.Util.SelfService.GroupSuitabilityModifier.Ineligible;

}

}

}

Example of a class implementing IDetermineGroupSuitabilityFactory

/// <summary>

/// A class to wrap the factory method that creates our suitability calculator

/// </summary>

public classMyCalculatorFactory : QAM.Server.Util.SelfService.IDetermineGroupSuitabilityFactory

{/// <summary>

/// A factory method to create an instance of our suitability calculator

/// </summary>

/// <param name="group">The group for which we want to compute the suitability score</param>

/// <returns>The calculator that will compute the suitability score for our group</returns>

public QAM.Server.Util.SelfService.IDetermineGroupSuitability Create(

QAM.Common.Interfaces.AccessSelfServiceGroupInformation group)

{

return newMyCalculator(group);

}

}

Supported resource types

  • NFS\File
  • NFS\Folder
  • NTFS\Folder
  • NTFS\File
  • Service Identities\Windows Service Identity
  • SharePoint\Farm
  • SharePoint\FarmAdminRight
  • SharePoint\Folder
  • SharePoint\List
  • SharePoint\ListItem
  • SharePoint\ResourceItem
  • SharePoint\ServiceApplicationPermission
  • SharePoint\Site
  • SharePoint\SiteCollection
  • SharePoint\SiteCollectionAdminRight
  • SharePoint\WebApplication
  • SharePoint\WebAppPolicy
  • Windows Computer\Local User Rights
  • Windows Computer\Operating System Administrative Rights
  • Windows Computer\Share
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级