A resource container is an organizational unit within the User Application driver. The User Application allows you to assign a resource to a container. When you to assign a resource to a container, the users in the container are assigned that resource. This type of resource assignment is called an indirect assignment. Resources explicitly assigned to a user from within the User Application are called direct assignments.
Resource containers reside under the main Resources container in the Role Catalog. You can create a role either directly in Resources, or in a container within Resources. Specifying the resource container is optional.
To create a resource container, right-click Resources, select New Resource Sub-Container, specify an identifier for the new container, and click OK.
Open the Create Resource Wizard in one of these ways:
From the Provisioning view, open Role Catalog, right-click Resources, then select New.
Select File > New > Provisioning > Resource.
The Create Resource Wizard displays:
Fill in the fields as follows (*indicates a required field).
Field |
Description |
---|---|
Identity Manager Project and Provisioning Application * |
The name of the Designer project and the provisioning application where you want to create the resources. NOTE:These two fields display when you launch the wizard from the File menu. |
Identifier (CN)* |
The unique identifier for the resource. |
Display Name* |
The text displayed as the Resource Name field in the User Application. You can translate this text into any of the languages supported by the User Application. For more information, see Localizing Provisioning Objects |
Description |
The text displayed as the Resource Description in the User Application. You can translate this text into any of the languages supported by the User Application. For more information, see Localizing Provisioning Objects. |
Category* |
Allows you to categorize resources. Used for filtering resource lists in the User Application. The category names are defined in the directory abstraction layer Resource Category list. |
Trustee Rights |
Specifies the users, groups, or containers that can read, compare, and browse the resources. (Read, compare, and browse are the default privileges.) |
Click Finish. Designer creates the resource locally and opens the Resource editor.
Use the General tab to modify the values you entered in the wizard, and to specify a Resource Owner. For more information on the General properties, see Table 12-2.
Navigate to the Entitlement tab. The Entitlement page is in read-only mode. It shows entitlements associated with a resource.
Field |
Description |
---|---|
Entitlement Name |
The description of the entitlement if the entitlement has been imported and is known to the Designer Identity Vault. Otherwise, it is simply the entitlement DN. |
Entitlement Description |
Information about the entitlement description. It could also be the entitlement DN. |
Entitlement Value |
The entitlement value can be static or dynamic.
|
Navigate to the Request Form tab. The Request Form page is in read-only mode. The information is displayed in the Request Form fields when a Resource is requested.
Table 12-1 Form Field Properties
Field |
Description |
---|---|
ID |
The system-generated ID for the field. |
Label |
The display label to be used on the field. |
Binding |
|
Data Type |
Can be a String, Integer, Boolean, List, or EntitlementRef type. |
Data Value |
The binding value can be static or dynamic.
|
List ID |
If the Data Type is List, then a List ID is specified. |
Entitlement DN |
If the Data Type is EntitlementRef, then an Entitlement DN is specified. |
Is Multi-Value |
Boolean. True, if users can specify more than one value for this field, else False. |
Is Hide |
Boolean. True, if the value is hidden during the request time. |
Navigate to the Approvals tab.
Select Allow role approval to override resource approval when you want the requesting system (such as role provisioning) to override approvals of the resource provisioning.
Click the Grant or Revoke tab, then select the type of grant or revoke for the resource.
None: Select this option when no approval is required for a resource grant or revoke request. Continue with Step 5.
Standard: Select this option if the resource requires approval for a grant or revoke request, and you want the approval to execute the standard provisioning request definition that ships with the Roles Based . Continue with Step 4.
Custom: Select this option when you want to specify a custom provisioning request definition for granting or revoking resources. You are prompted to select a provisioning request definition from the dropdown list. The list is populated with approvals whose Process Type is Resource. Continue with Step 5.
For Standard Approval types, fill in the fields as follows:
Field |
Description |
---|---|
Approval Type |
Serial: Select this option if you want the resource grant or revoke request to be approved by the approvers listed in the Approvers list. The approvers are processed sequentially in the order they appear in the list. Quorum: Select this option if you want the resource grant or revoke request to be approved in parallel and to be complete when the percentage of approvers specified is reached. For example, if you wanted to require that 25 percent of approvers in the list approve the condition, you would specify Quorum and specify a number; the value is assumed to be a percentage. |
Approvers |
An approver can be a user, group, or role. To add approvers:
If Designer is not able to connect to the Identity Vault, you can add the approver manually by clicking in the row and typing the approver’s distinguished name, for example, admin.novell. Only deployed roles can be specified. |
Save the Resource definition.
Table 12-2 Resource Overview Properties
Property |
Description |
---|---|
Identifier (CN) |
The unique identifier for the resource. |
Display Name |
The text displayed as the Resource Name field in the User Application. You can translate this text into any of the languages supported by the User Application. For more information, see Localizing Provisioning Objects |
Description |
The text displayed as the Resource Description in the User Application. You can translate this text into any of the languages supported by the User Application. For more information, see Localizing Provisioning Objects. |
Categories |
Allows you to categorize resources. Used for filtering resource lists in the User Application. The category names are defined in the directory abstraction layer Resource Category list. |
Trustees |
Specifies the users, groups, or containers that can read, compare, and browse the resources. (Read, compare, and browse are the default privileges.) |
Owners |
A user who is designated as the owner of the resource definition. The resource owner does not automatically have the authorization to administer changes to a resource definition. |