15.3 Editing Resources

You can modify all the resource parameters except Level and Subcontainer. Identity applications allow you to edit each resource separately or multiple resources at once.

Editing individual resources: Select a resource from the list that you want to edit and perform any of the following operations:

Editing multiple resources at once: You can edit multiple resources as a group instead of requiring you to repeat those actions on each resource individually. Select the resources you want to manage from the list of resources. You can change Categories, Owners, Approval Details, and Resource Weightage for the resources you selected. Also, you can Append or Overwrite values for Categories and Owners for the selected resources. Append option allows you to add values without altering the existing entries. Overwrite option replaces the values that are entered for the existing values.

For more information, see Changing the Approval or Revocation Process.

Delete Resources: To delete any resource from the list, select the resource and click Delete.

What happens to existing resource assignments When you a delete a resource that already has one or more identities assigned to it, the system removes the resource from those identities. If the resource has been associated with a role, the system also removes all role associations that pertain to the deleted resource.

15.3.1 Setting Expiration Period for the Resource

To set the expiration period, enable Expiration required and set the number of Days/Months/Years when the access to the selected resource(s) should expire.

Expiration period sets the expiration date for a resource from the date of assignment.

Users can also request for resources in Access > Request page, for a specific period. For more information, see Requesting Permissions in NetIQ Identity Manager - User’s Guide to the Identity Applications.

For more information, click on the Dashboard.

15.3.2 Assigning Weightage to the Resource

You can assign a resource weightage value to the resources with entitlement. The Role and Resource Service Driver (RRSD) uses this value to determine the order in which the resource entitlement is assigned and revoked in the connected system. This provides you the control to prioritize the assignment and revocation of entitlements. Supported values include 100, 200, 300, 400, and 500, where 100 has the highest priority and should be assigned first followed by 200 and so on.

NOTE:The Resource Weightage option will not be available in the Dashboard if:

  • Identity Vault schema for resource weightage attribute is not updated.

  • User Application driver package and Role and Resource Service Driver are not updated to the latest version.

When assigning resource weightage, you should consider the following conditions:

  • A resource cannot be assigned if the user requests for a resource with group entitlement before requesting for user entitlement resource.

  • Resource weightage is only applicable when the resource is mapped to a role. For example, consider a user account entitlement and a group entitlement mapped to a role. The user account entitlement is assigned a weightage value of 100 and the group entitlement, a weightage value of 200. When you assign the role to a user, the RRSD driver determines the order of assignment based on resource weightage value set for each entitlement, and assigns the user account entitlement before the group entitlement. In case of revocation, the group entitlement is revoked and then the user account entitlement.

When you create a resource with entitlement, there is no weightage associated with it. However, while editing you can assign the weightage to one or more resources at the same time.

  1. Select the resource(s) from the list that you want to assign a weightage.

  2. Click Edit Resources.

  3. Under Details, Owners, and Approvals tab, select the required value from the Resource Weightage drop-down list.

    For example, if you have selected a resource with user account entitlement and want this resource to be assigned before the group entitlement, then you must assign a resource weightage value of 100 to the user account entitlement and the group entitlement resource any value other than 100 (say 300). The user is first assigned to the user account entitlement and then to the group entitlement.

  4. Click Apply.

15.3.3 Changing the Approval or Revocation Process

After you create a resource, you can modify the resource information and define the approval process for it. You can choose the role approval process to override the resource approval process.

You can define the approval process for a resource using one of the following options:

  • Serial Approval: Specify multiple approvers, and define the order by selecting an approver and moving that approver earlier or later in the order by clicking the arrows at the right of the approval list.

  • Quorum Approval: Specify the approvers, then use the slide bar to specify the percent of those approvers that are required to grant access.

  • Custom: Specify the customized approval process from the list that you want to use. The list displays the workflows that are defined using Designer.

    NOTE:You must set up this approval process in Identity Manager Designer. For more information, see NetIQ Identity Manager - Administrator’s Guide to Designing the Identity Applications.

If you choose None, no approvers are required for assigning the resources.

You can choose to have a revoke process or not. The revocation process can match the approval process. Also, you can define a different revocation process.

You can modify the expiration period for the selected resources. See, Setting Expiration Period for the Resource.

15.3.4 Assigning Resource to Users

You can directly assign the selected resource to any user in your organization.

  1. Select a resource that you want to assign to users.

  2. In Resource Assignments, Click +.

  3. Specify the Initial Request Description, and mention the Recipients from the list.

    NOTE:In Initial Request Description, describe the purpose of assigning a resource to the mentioned users in Recipients list.

  4. Click Assign Resource.

For more information, click on the Dashboard.

15.3.5 Updating the Resource Request Form

A resource form is used to gather necessary data to properly assign a resource. Create and define the fields for the resource.

This is an example for resource form. The Region field is added for the Mobile resource. Following illustration displays the form at the time of the request.

Figure 15-1 Example Resource Request Form

You can assign a value to the field and select At request/assign time to allow users to specify the values at the time of request or resource assignment. If you want to assign values now, select Now.

In Data Value List, you can select one of the following data types to add a field into the request form:

Data Type

Description

Integer

This allows you to gather only numerical information about the selected resource.

For example,

If you require to gather information related to quantity or number of days, weeks, or hours, you can use this data type.

Boolean

This allows you to gather true/false sort of information.

For example,

If the selected resource is printer, you might need to confirm whether they require a color printer or not. In this case, you can use this data type to provide an option to requesters.

List

This allows you to select values from the list.

If you want users to select the defined values, you can provision the options using this data type.

For example,

If you want to know the time zone of the requester, you can provision this field by listing all the timezones for this field.

For more information about creating such lists, see Creating a List to Improve Resource Request Forms.

String

This allows you to gather more information on a resource request.

For example,

If you want to know the reason for this request or assignment, you can use this data type for a field to gather this information.

NOTE:When you select Now option in Assign Value, these fields appear on the request form at the time of request or assignment by default. If you want to hide these fields, select Hide.

For more information, click on the Dashboard.