Add self-management configuration to additional data object types
This instruction explains how to add self-management configuration to additional data object types based on an example.
However, remember, as a requirement, the data object type for which you need management support must conform to the following rules:
- Have a text property that holds unique ID values.
- Have a multivalued reference property for users representing the owners/managers of an object.
- Optionally, use the EXPLICITOWNER property if owners/managers are exported from Omada Identity Data Warehouse.
Example
In the following example, as per the above-mentioned requirements, the data object type has the following properties:
- name: Projects
- system name: C_TRG_PROJECT.
- ID property name: C_PROJECT_ID
- owner/manager property name: OWNERREF.
The following process is an example. Your organization may have more or fewer steps to go through to set up self-management for an additional object type for your organization's needs.
Follow these steps to add self-management configuration to additional data object types:
-
On the data object type Projects, click Properties, then New > Reference property to create a new multivalued reference property for selecting projects.
-
Type
SM_Projectsin the Name field, then type SMPROJECTS in the System Name field. The system name will be automatically prefixed withC_. Use this property when an end-user makes an access request to become a project owner and is prompted to state the projects for which the end user wants to become the owner.
-
Go to Setup > Master Data > Resource Management > Attributes and click the New button to create a new attribute.
-
In the Definition setting, select the
SM_Projectsproperty.
-
Go to Setup > Master Data > Resource Management > Attribute sets and click the New button to create a new attribute set.
-
Type Omada Identity Project Owner Attributes in the Name field, then click the lookup icon and select Projects as Attributes.
-
Go to Setup > Master Data > Resource Management > Resource types and click the New button to create a new resource type.
-
As the System administrator, hold CTRL and right-click to open Form details.
-
Click the Design form button, and in the window that opens, locate the Self-management configuration property. In the right column, click the ellipsis (...) > Edit.
-
In the Form Field that opens, clear the Hidden (serverside) checkbox to make the Self-management configuration setting visible in the user interface. Click OK in all dialog boxes until you return to the New Resource type page.
-
In the Name field, type Omada Identity Project Owner Role.
-
In the Resource category field, choose Permission.
-
Select the Allow attributes checkbox to enable attributes, then select Omada Identity Project Owner Attributes in the Attribute set field.
-
In the Self-management configuration setting, paste the following text into the text box:
<?xml version=”1.0” encoding="UTF-8"?><selfMgmtConfig
xmlns="http://schemas.omada.net/ois/2015/SelfMgmtConfigML"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
managedObjectType="C_Projects" idProperty="C_PROJECT_ID" ownerProperty="OWNERREF"
idAttribute="C_SMPROJECTS" />
-
Furthermore, the self-management feature can manage the membership of an Enterprise Server user group (along with the management of the object ownerships):
<?xml version=”1.0” encoding="UTF-8"?><selfMgmtConfig
xmlns="http://schemas.omada.net/ois/2015/SelfMgmtConfigML"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
managedObjectType="C_Projects" idProperty="C_PROJECT_ID" ownerProperty="OWNERREF"
idAttribute="C_SMPROJECTS"
managerGroup="b292cfd6-3b86-4337-8a62-0f711845c149"/>The
managerGroupattribute denotes a UId of an Enterprise Server user group. When an identity has an assignment to the self management role, the user of the identity is also automatically added to that user group. If the identity is not assigned to the self management role, the user is removed from the user group.When the Governance for Omada Identity feature is installed, the
managerGroupattribute is no longer respected. Instead, there is a management resource configured as child resource for the self management role, which effectively implements the same logic. For more information on the management of user group memberships, refer to the Governance for Omada Identity capabilities documentation.
-
-
Go to Setup > Master Data > Resource Management > Resource and click the New button to create a new resource.
- In the Resource ID field, type the name OIM_PROJECTOWNER.
- In the Name field, type the name Project Owner.
- In the Resource type field, click the lookup icon to select the Omada Identity Project Owner Role, the resource type you just created.
- In the System field, click the lookup icon and select Omada Identity.
- In the Resource folder field, click the lookup icon and select OIS Roles, then click OK to save the settings for the resource and close the page.
infoThere must be exactly one Resource type and one Resource per managed data object type.
-
Restart the Omada Role and Policy Engine Service to make the system aware of the new configuration.
You can now try to request the new resource in an access request. Then, the identity's manager must approve the requested access. RoPE then calculates the identity. When it is done, the identity is now the owner of Project 1.
Disabling self-management for a resource type
It is possible to disable the self-management for individual resource types. This would enable you to use a combination of the two methods.
To enable this option, you should remove the xml configuration in the Self-management configuration property on the Resource type that you want to handle manually. This is by default hidden on the Resource type form.
You should also set the prevent self-service value to true of the Self-management Resource that refers to that the resource type.
It is then no longer possible to import ownerships from source systems via the Data Warehouse, and it is no longer possible to use the delegation for that ownership type.