These procedures are described:
- Entering the Definition Information
- Specifying Resource Workflows
- Defining Entitlement Options
- Defining General Properties
- Selecting Self-Service Properties
- Adding a Permission
- Adding Custom Attributes
- Adding Resource Dependency
- Adding Resource Owners
-
From the Admin UI ► Server tab ► Function Menu, click Resources. The Resource View page displays:
Elements and Descriptions
ID: Displays the RESOURCE_ID.
Name: Displays the resource name. Click the hyperlink to view details.
Note: Clicking this column heading sorts in ascending or descending order.
Display Name: Displays the display name of the selected resource.
Note: Clicking this column heading sorts (ascending or descending) by description.
Requestable: Displays whether the resource is requestable. Only Requestable resources can be requested from Self-Service and used in workflows. When requested, membership is given to the user without evaluation. See the Policy Evaluation Process for detailed information on the evaluation process.
Approval Required: If the resource has Approval Type Resource or Permission, this column is set to Yes. Otherwise, it is set to No.
System: All resources created by the administrator are non-system resources. The Identity Resource created during installation is a system resource.
Modified User: Displays the name of the user who last modified or added the resource.
Modified Date: Displays the date and time when the resource was added/modified. Add: The Resource Detail (Add New) page displays to create a new resource. See Step 2 for details.
Copy: The Resource Detail (Creating Copy) page displays to create a new resource based on the selected resource. All input fields are prefilled with data from the selected resource except for the Name.
Delete: Deletes the selected resource from the list. When the system resource Identity Resource is selected, this button will be disabled. - Enter a Name (e.g., Network Account), Display Name, Description, and select a Resource Type. If this resource is for account provisioning and deprovisioning, select the Resource Type as Account.
Click the Add button to create the resource. The Resource Detail (Add New) page displays:Elements and Descriptions
* fields are required: A red asterisk denotes required fields.
Locale: Select the preferred language (default: English).
Definition
Name: Enter the name of the resource. Note: Only alphanumeric, space, hyphen, and underscore are allowed in the name.
Display Name: Enter the display name of the resource. This will be the name displayed in the Self-Service UI where resources are selected for request.
Description: Enter the description of the resource. Resource Type: Select the type:
- Account - Workflows are used to provision and deprovision accounts on the system.
- Entitlement - Workflows are used to add or remove entitlements on the system.
System: Enter the connected system used for this resource (each resource has one associated connected system). The Select button displays the Connected System View page to select a system.
Note: After the resource is defined, the connected system cannot be modified.
Resource Workflows: This section is used to specify the workflows used for add/delete/modify actions.
Transaction Type:
- An Entitlement Type resource only has two actions: Add and Remove.
- An Account Type resource has three actions: Add, Modify, and Remove.
Workflow Name: Displays the name of the workflow to be executed.
Workflow Description: Displays the description of the workflow to be executed.
Add/Modify: Select the deployed resource workflows associated with the selected connected system.
Remove Removes the selected workflows. Entitlement Options: This section is used to define entitlements to be added to the system.
Name: Displays the entitlement name of the resource system:
- For an LDAP system, it is the cn value for entitlement types Group or Role. When the entitlement type is Attribute, it is the attribute name.
- For a RDBMS, it is the name of the Group or Role.
- For an Oracle E-Business Suite, it is the name of the Responsibility.
Value: Displays the fully qualified value of the entitlement:
- For an LDAP system, it is the DN value for entitlement types Group or Role. When the entitlement type is Attribute, it is the attribute value.
- For a RDBMS, it is the name of the Group or Role.
- For an Oracle E-Business Suite, it is the Responsibility Key.
Type: Displays the entitlement type: Group, Role, Attribute, and Profile (for SAP NetWeaver only). For an Oracle E-Business Suite, it is Responsibility.
Static:
- True when the entitlement is static.
- False when the entitlement is selected from the resource system.
Description: Displays the description of the entitlement, if any.
Application: Displays the Application short name for an Oracle E-Business Suite Responsibility.
DB/Schema Name (for database systems only): Displays the database name where the entitlement resides
Table Name (for database systems only): Displays the table name within the database.
Identity Column (for database systems only): Displays the Identity column name within the table that represents the entitlement.
Add: Adds an entitlement. Displays the Entitlement Search page.
Add Static Entitlement: Displays a new line for adding an entitlement.
Remove: Removes the selected entitlement.
Edit Static Entitlement: Enables editing of a static entitlement. These fields can be edited: Name, Type, Description, DB/Schema Name, Table Name, and Identity Column. This button can also be used to edit the System field of non- static SAP GRC Role of type, Business.
General Properties This resource can be requested from self-service and can be used in workflows: Check this box if the resource can be used in the Self-Service Tree configuration as well as in the workflow (Set Approval Resources Mapper rule) configuration.
Allow multiple accounts: Check this box if more than one account can be created for this resource. If used in Policy, the same policy cannot give multiple accounts, but multiple policies qualified for the same resource can give multiple accounts. Note: This is selectable when the Resource Type is Account.
Beneficiary notification when resource is assigned: Displays the Notification View (Condition Detail Search) page for selecting the desired resource notification. This enables the administrator to specify unique beneficiary notifications for individual resources.
Approval Type: Determines whether approval is required and on what level:
- None - No approval is required for the resource. The feature that uses this resource (e.g., Workflow, Policy, or Self-Service) is configured with approval; it uses that approval.
- Resource - Approval is required for the resource for Add and/or Delete. At least one approval (either for Add or Remove or both) must be configured. If the feature (e.g., Workflow, Policy, or Self- Service) is configured with approval, it uses feature approval first, and if approved, then uses the resource specific Displays the Approval Rule for Add and Approval Rule for Remove text boxes.
- Permission - Approval is required for a particular permission in the resource for Add and/or Delete. At least one approval (either for Add or Remove or both) must be configured with at least one permission. If the feature (e.g., Workflow, Policy, or Self-Service) is configured with approval, it uses feature approval first, and if approved, then uses the permission specific approval in the resource.
Self-Service Properties: Select the properties specific to the Self-Service UI:
- User can request multiple permissions - Check this box if users are allowed to select and request more than one permission associated with a resource in Self-Service. Note: This is selectable when more than one permission is defined.
- Approvers can change the permission - Check this box if approvers can edit the permission before approving the request. Note: This is selectable when the Approval Type is set to Resource.
- Enable Sponsorship of resource- Check this box if user need to select sponsor while requesting a Resource.
- Sponsor must be specified when resource is requested.
- Check this box if the sponsor selection is mandatory while requesting the Resource
Permission (the attribute is Resource-Permission): This section is used to add a permission for Self-Service to use during a request process. See "Adding a Permission" for additional information.
Value: The value that is associated with this permission. This will be mapped to the attribute Resource-Permission (multivalued when more than one permission is selected) and passed to the workflow. This input field will be disabled if the current locale is not English.
Display Value: The value used to display in the Self-Service tab and Approval tab.
Description: The description to be used by the Self-Service tab when showing this permission.
Visible: Determines whether the Self-Service tab and Approval tab displays this permission to the Self-Service requester. Default: Indicates which permissions are the defaults for this resource. If user permission selection is turned off (controlled by the Self-Service configuration), only these permissions will be available.
Custom Attributes: This section is used to add custom attributes so that additional information can be displayed for approvers and Self-Service requesters. See Adding Custom Attributes for additional information.
Attribute Name Displays the name of the attribute.
Display Name Displays the Display Name of the attribute.
Add Adds a new custom attribute.
Add Confirm Adds a confirm attribute for the selected attribute.
Remove Removes the selected custom attribute.
Note: If the attribute used in custom attributes is already mapped to FISC_USER_ACCOUNT, or FISC_USER_ENTITLEMENT tables, the current value from these tables will be overwritten with the custom attribute value defined in the resource or the custom attribute value modified by the approver or Self-Service requester (depending on whether the resource is defined with approval or not).
Resource Dependency: This section is used to add dependent resources that depend on this resource. See Adding Resource Dependency for additional information.
Resource Name: Displays the name of the dependent resource.
Resource Type: Displays the type of the dependent resource.
System: Displays the system of the dependent resource.
Dependency Type: Select or displays the dependency type:
- On Execution - Honors the dependency only during execution.
- Always - Honors the dependency during requesting a resource as well as on execution.
Execution Dependency On: Select or displays the dependent resource action that honors the dependency on execution:
- Add - Grants the dependent resource only if the parent resource is granted. If the parent resource is not granted, denied, or failed, the dependent resource will be marked with Error status.
- Modify - Honors dependency during resource modification. If the parent and dependent resources are part of a single request or if the parent resource is pending as part of another request, the dependent resource modification will wait for the parent resource execution to complete successfully. If the parent resource fails, then the dependent resource will be marked with Error status. If the parent resource modification is neither part of the request nor pending, then the dependent resource modification will be executed.
- Delete - Revokes the dependent resources before the parent resource is revoked. If the parent and dependent resources are part of a single request or if the dependent resource is pending as part of another request, the parent resource deletion will wait for the removal of the dependent resource to complete successfully. If the dependent resource deletion is denied or fails, then the parent resource will be marked with Error status.
Add: Adds a dependent resource.
Remove: Removes the selected dependent resource. Resource Owners: This section is used to add or remove users assigned as the owners of the resource. See Adding Resource Owners for additional information.
Add Adds a resource owner.
Remove Removes the selected resource owner.
Entering the Definition Information- Enter a Name (e.g., Network Account), Display Name, Description, and select a Resource Type. If this resource is for account provisioning and deprovisioning, select the Resource Type as Account.
Note: Before continuing, ensure that the Resource workflows are deployed.
- Select a System associated with the resource by clicking the Select button. The Connected System View page displays. Select a connected system, and then click the Select button (or double-click the option button next to the connected system to select it).
Specifying Resource Workflows
To specify workflows for add/delete/modify actions
- Under Resource Workflows, select the appropriate check box of the Transaction Type to assign a Resource Click the Add/Modify button to select the deployed workflows associated with the connected system selected. The Deployed Workflow List page displays Resource workflows only:
- Select the desired workflow, and then click Select (or double-click the option button next to the desired workflow to select it). Repeat Step 3 to select the Remove workflow.
- Continue to the Defining General Properties steps if entitlement is not required for this resource.
- Select the desired workflow, and then click Select (or double-click the option button next to the desired workflow to select it). Repeat Step 3 to select the Remove workflow.
Defining Entitlement Options
To define entitlements in entitlement only resources or provisioning/deprovisioning with entitlement
- Under Entitlement Options, click the Add The Entitlement Search page displays:
Note: This Entitlement Search page is for LDAP systems. For other systems, the Entitlement Search page with appropriate search capabilities displays.
Elements and Descriptions
Search Tree: Click a section of the Search Tree to be used in an entitlement search. Note that the DN of the tree section is then placed in the Search DN field.
Search Criteria
Search DN: CEnter a distinguished name (DN), or click a section of the directory listed under the Search Tree field.
Search Query
Entitlement Query 1: Specifies assignment of a role to an explicit enumerated list of members. The query can be modified to return other entries if there is a custom object class for group or roles. The default is (objectclass=ldapsubentry)(objectclass=nsmanagedroledefinition).
Entitlement Query 2: Defines entries that represent an unordered set of names whose integrity can be assured and that represent individual objects or other groups of names. The query can be modified to return other entries if there is a custom object class for group or roles. The default is (objectClass=groupOfUniqueNames).
Search Filter
Entitlement Name: Select from Starts With, Ends With, or Contains to search the directory. Note that if you do not specify any information in this field, all entries in the directory will be returned.
This dynamically analyzes the selected server and shows the existing roles and groups. This list is determined by the query statements in the selected connected systems configuration settings: EntitlementQuery1 and EntitlementQuery2. Every connected system has a predefined entitlement query associated with it. During creation or modification of a connected system, this query can be modified to suit your implementation of the system; it can be accomplished through either the Admin UI or the Workflow and Connectivity Studio.Dynamic fetching of roles and groups is only supported for connected systems of type JDBC (RDBMS) or LDAP. Responsibilities in an Oracle E-Business Suite type connected system can also be fetched dynamically. SAP NetWeaver system also supports dynamic fetching of roles, groups, profiles and GRC roles. For other systems, entitlement values must be added using Add Static Entitlement.
- Select an OU. The Provisioning Entitlements View page displays:
- Select an OU. The Provisioning Entitlements View page displays:
- Select the desired entitlement(s), and then click the Select button.
To add static entitlement, perform these sub steps
- Under Entitlement Options, click Add Static Entitlement. The Entitlement Options page displays.
- Enter the name of the entitlement in the Name For Group in LDAP, it is the cn value; for Role in database, it is the role name; for Attribute, it is the name of the attribute; for Responsibility in Oracle E-Business Suite, it is the Responsibility name.
- Enter the fully qualified unique name of the entitlement in the Value For Group in LDAP, it is the DN value of the group; for Attribute, it is the value of the attribute; for Responsibility in Oracle E-Business Suite, it is the Responsibility key; for all other types it is same as the name entered in sub step ii.
- Select the type (Group, Role, or Attribute) of the entitlement from the Type drop-down list.
- The Static column is set to true automatically.
- Enter a Description for this entitlement.
- Enter the Application short name for the Oracle E-Business Suite Responsibility. This is not mandatory.
- Select the GRC Role Type and enter the System name (not mandatory) for SAP NetWeaver GRC Role.
-
Select the PosixGroup and select the Membership Attribute (default is UID) for adding PosixGroup entitlement to OpenLdap Directory Server.
-
Enter the database name in the DB/Schema Name field for this entitlement for database systems.
-
Enter the table name in the Table Name field for this entitlement for database systems.
- Enter the Identity Column name to represent the Identity column for this entitlement for database systems.
- Click the Add button to save the static entitlement, or click Add New to save, and then enter another static entitlement
For static Attribute entitlements in database systems:
-
- The entitlement table should have one column to store the user_id and another column for entitlement to have a user - entitlement relation.
- In the resource entitlement configuration, the name of the entitlement table should be given as the Table Name, the column that stores the user_id as the Identity Column, the other column that stores the entitlement as the Name, and the attribute value of this column as the Value.
- If there is more than one entitlement for a user in the entitlement table, the column that holds the user_id should not be set as the primary key in the table.
- The column that holds the user_id in the user table should be set as the preferred key in the workflow.
-
- Enter the fully qualified unique name of the entitlement in the Value For Group in LDAP, it is the DN value of the group; for Attribute, it is the value of the attribute; for Responsibility in Oracle E-Business Suite, it is the Responsibility key; for all other types it is same as the name entered in sub step ii.
- Under Entitlement Options, click Add Static Entitlement. The Entitlement Options page displays.
Defining General Properties
To define the approval rule to be executed when an Add request is made
-
Under the General Properties section, set the Approval Type to Resource, and then select the Master Approval rules created for Approval Rule for Add and Approval Rule for Remove. Alternatively, other approval rules can be used for Approval Rule for Add and Approval Rule for Remove.
Selecting Self-Service Properties
To select the properties specific to the Self-Service UI
- Under the Self-Service Properties section, check the boxes for the desired properties specific to the Self-Service UI: User can request multiple permissions, Approvers can change the permission, Enable sponsorship of resource and Sponsor must be specified when resource is requested.
Adding a Permission
Resources can be created with multiple permissions, which Self-Service uses during a self-service request process. Approval uses these whenever it displays a resource requested from Self-Service, Prov Policy, or Workflows. The value of the permission defined in a resource is passed to the Resource workflow as the attribute value of Resource-Permission. If the approval type is Resource or Permission, the approver can select from multiple permissions but cannot change permission values.
To add a permission
- On the Resource Detail (Add New) page, click the Add button in the Permission section. A new row displays:
- Enter the Value, Display Value, Description, and select the desired Visible and Default check boxes.
- If the Approval Type is Permission, an approval section displays to specify the approval rule. Click the Add button:
- Enter the Value, Display Value, Description, and select the desired Visible and Default check boxes.
Notes:
- The Sort button will sort the entire list on the Display Value.
- In Self-Service, these items will be displayed in the order in which they are configured in the Resource Detail
Adding Custom Attributes
Resources can be created with custom attributes, which are required so that additional information can be displayed for approvers and Self-Service requesters. Displaying requested permissions alone may not be sufficient in some cases.
Custom attributes defined in a resource are passed to the Self-Service requester or approver (if the approver is defined in the resource), who may modify the values. While launching the Resource workflow, the values of custom attributes used are the approver modified ones. If no approver is defined for the resource, the default values set in the resource for the custom attributes are used, or the requester modified custom attribute values are used.
In a resource with custom attributes defined, the custom attribute values always take precedence. For example, if the resource has a custom attribute Account-ID, then while launching the Resource workflow, the DataXML has the value of this custom attribute. Even if the DataXML from the FISC tables already has Account-ID, its value is replaced with that of the custom attribute. In other words, the custom attribute overrides mapped FISC* table attribute values.
After a resource is granted to a user through the Request Access process, custom attribute values granted to the user are stored in the FISC_USER_ENTITLEMENT table (if custom attributes are unmapped to any FISC_USER_PROFILE, FISC_USER_ACCOUNT, or FISC_USER_ENTITLEMENT columns). If custom attributes are mapped, the values are not stored in FISC_USER_ENTITLEMENT because the value is available from the mapped columns. The custom attributes record in FISC_USER_ENTITLEMENT will have USER_ENTITLEMENT_TYPE 4.
During resource deprovisioning for a user, through the Remove Access process, the custom attribute values are fetched from the FISC_USER_ENTITLEMENT table (if unmapped). Custom attribute values are passed to the approver, who may modify the values, if an approval rule is defined in the resource. While launching the Resource workflow, the values of custom attributes used are the approver modified ones. If no approver is defined for the resource, FISC_USER_ENTITLEMENT values are displayed for unmapped attributes. For mapped attributes, FISC_USER_PROFILE, FISC_USER_ACCOUNT, or FISC_USER_ENTITLEMENT values are displayed depending on the mapping.
To add a custom attribute
- On the Resource Detail (Add New) page [or Resource Detail (Update) page], under the Custom Attributes section, click the Add button. The Product Attribute View page displays the default attributes:
Elements and Descriptions |
---|
Attribute Type: Displays the type of attribute. |
Name: Displays the name of the attribute. |
Display Name: Displays the display name of the attribute. |
IAttribute: Displays the name of the LDAP attribute of the Identity store to be used for mapping the product attribute. For example, if Sun ONE is your Identity System and displayName is selected for the attribute, this is mapped to the Sun ONE cn attribute. |
Account Column: Displays the name of the column in the Identity database FISC_USER_ACCOUNT table. |
Entitlement Column: Displays the name of the column in the Identity database FISC_USER_ENTITLEMENT table. |
Notes:
- Attributes mapped to FISC_USER_PROFILE table are not displayed and cannot be used as custom
- All columns on this page are sortable except the Attribute Name
-
- Select the desired attribute(s), and click Select:
-
To configure the attribute settings, click on the attribute hyperlink. Optional Attribute Settings
window displays: -
Select the Display If the UI Management Display Values option configured in product attribute is Static List / Dynamic List, the Display Type will have options Drop Down and Radio Button. Otherwise, the options are Input, Password, Date and Text.
-
Select the maximum field length.
- Select the Requestor as Read-Only, Editable, or Editable-Mandatory if the custom attribute should have a value before the requester submits the request. If the requester is not required to see the value of the custom attribute, select the Requestor drop-down list value as Hidden.
- Select the Approver as Read-Only, Editable, or Editable-Mandatory if the custom attribute should have a value before the approver submits the request. If the approver is not required to see the value of the custom attribute, select the Approver drop-down list value as Hidden.
- Select the Initial value Type:
- None - No value will be set.
- Literal - The text content of the text field below is set as the initial value.
- Javascript - The output of the JavaScript function in the text field below will be set as the initial value.
- Database Query - The output of the database query in the text field below will be set as the initial value. If multiple columns and rows are returned, the value in the first row, first column is set as the initial value.
- LDAP Query - The output of the ldap query will be set as the initial value.
The Initial Value is applicable only for Requestor and not for Approver. The LDAP and DB queries for initial value can use four types of variable substitution:- ##Requestor.Product-Attribute## for substituting values of the current logged in user
- ##User.Product-Attribute## for substituting values of the beneficiary. This can be used only when "Allow multiple recipients within single request" is not enabled in Self-Service Configuration.
- ##Resource.Product-Attribute## for substituting User Attributes placed in the Detail UI screen.
- ##Manager.Product-Attribute## for substituting Manager Attributes placed in the Detail UI screen.
- Select the Validation Type:
- None (default) - No validation.
- Email - Standard e-mail format (xxxx@yyyyy.zzzz).
- Regular Expression - The expression format:
- For allowing characters a-z, A-Z, 0-9, #, _, &, @, ? is: [a-zAZ0-9#_&@?]*.
- For denying characters 0-9 is: [^0-9]*.
- JavaScript - JavaScript (support field substitution) is used to validate. Javascript Validation will not work in Approval pages.
- DataBaseQuery - Field data is validated against the data returned from the database query. The system where the query is to be run can also be selected in the Validation section.
- LDAP Query - Field data is validated against data returned from ldap query.
The LDAP and DB queries for data validation can use four types of variable substitution:
- ##Requestor.Product-Attribute## for substituting values of the current logged in user.
- ##User.Product-Attribute## for substituting values of the beneficiary. This can be used only when "Allow multiple recipients within single request" is not enabled in Self-Service Configuration.
- ##Resource.Product-Attribute## for substituting User Attributes placed in the Detail UI screen.
- ##Manager.Product-Attribute## for substituting Manager Attributes placed in the Detail UI screen.
- Select the Validation Error Message to display when data validation fails.
- Select the Instructional Text Type:
- None (default) - Do not display.
- Text - Display the text given in the Instructional Text below.
- Icon - Display the information icon to the right of the column. When clicking this field, the information displays as a pop-up window in Self-Service.
-
Enable the Use custom style checkbox to use a custom CSS style. If not checked, the default CSS is used to display this field.
-
Enter the Label CSS class name to display the label.
-
For more information on configuring the attribute settings, see the section: Server Configuration Chapter ► UI Management ► Self-Service ► Detail ► Rearranging Screens ► Adding/Removing/Modifying Fields.
-
Click Done.
-
To display a confirm field for an attribute during requesting or approving the resource, select the attribute that is configured as Editable-Mandatory by Requestor and click Add Confirm button. The confirm attribute is added to the list with Confirm prefixed to the selected attribute name. Once a Confirm attribute is added, the Requestor display option of its source attribute cannot be changed. The display of these attributes for the Approver will depend on the Approver display option set for the source attribute.
-
Notes:
- The Sort button will sort the entire list on the Display Name.
- In Self-Service, these attributes will be displayed in the order in which they are configured in the Resource Detail
- Select the desired attribute(s), and click Select:
Adding Resource Dependency
Some resources need to be created ahead of other resources in order to ensure that the same account or user name is used across all resources. To achieve this, resources can be configured as dependent resources of another resource (e.g., an entitlement resource can be specified as a dependent resource of the account resource). This will delay the execution of dependent resources until the parent resource is executed successfully. Dependency will be honored during the execution by Self-Service, Policy, and Approval engines.
To add a dependent resource
- From the Resource Detail (Add New) page [or Resource Detail (Update) page], under the Resource Dependency section, click the Add button. The Resource View page displays the resources.
- Select the desired resource(s) and click Select.
- Select the Dependency Type as On Execution or Always.
- In Execution Dependency On, select the desired dependent resource actions that have to honor dependency during execution: Add, Modify, and/or Delete.
Adding Resource Owners
Some resources need to be approved by resource owner(s) prior to allocation. We can add one or more users as resource owners of a resource. A Resource Owner based approver list can be created for a resource for approval. It is a dynamic list and during execution, the owners who have the approval bit are designated as the approvers of the resource in context.
To add a resource owner
- From the Resource Detail (Add New) page [or Resource Detail (Update) page], under the Resource Owners section, click the Add button. The Resource Owner Search page displays the list of users.
- Select the desired user(s) and click Select.
Note: The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the resource owner is an approver in the approval process. - On the Resource Detail (Add New) page, click the Add button, [or on the Resource Detail (Update) page, click Update to save the resource. The Resource View page displays the following message:
Resource added successfully.