My name is Shawny Reiner. I'm a strategic systems consultant for Quest. I've been with Quest for about five years. In addition to being a Quest customer in the past, I've been in the IT industry for approximately 20 years with Active Directory as my primary focus.
On Demand Group Management, or ODGM, is a self-service group management solution that places the onus of group and membership management on the requester and the data owners, rather than the IT organization. Part of that management is the attestation process and workflows to assure group membership is certified and accurate.
Built into ODGM is the ability to create policies. Policies control the self-service creation and management of groups and ODGM resources. For more information on ODGM resources, refer to the video demonstration of this feature and available technical documentation. This short video is designed to demonstrate the policies feature of the On Demand Group Management solution.
The IT admin is responsible for setting up policy, security parameters, and attestation rules that govern how requesters and data owners will use the self-service portions of the ODGM solution. And all of this is controlled on the Settings page. And particularly, we're going to focus on policies today. You can create resource group and user policies. We're going to focus on resource and group today.
Resource and group are created exactly the same way, just used for different entities within ODGM. And the only difference between the creation is a resource has a resource type, and a group doesn't. And the resource type is really just an ease of administration categorization. So I'm going to demonstrate how to create a policy using the group feature. I've previously created one, but if you are creating a brand new one, you would just click Add for each of these things.
The first step is to create the group security levels. Let's look at the one I created for payroll. The options that you have when you're creating this is obviously to name it, to choose a security grade, to set attestation. and you have four different options for setting attestation-- the scope of who's in that attestation process, how long the attestation takes to complete.
The next step is a group naming rule. Again, I've created one ahead of time, but you can click the Add for a new one. Let's take a look at the payroll group naming. So you give it a name, obviously. You choose a connector, so what's going in between each of the words that you put in the group name. These are the connectors you can choose.
And then you can add these fields one at a time, meaning a field is each part of the name. So the first part, the second part, et cetera. In this case, I chose a fixed text, and I'm saying I want all my groups to start with the word payroll. These are your options though. You can do user attributes, value sets-- which are sort of expression rules-- fixed text, or flexible text. The second part of this rule is I want to allow the data owner to put in whatever else is necessary for the name of that group.
And then the final thing is the group category. And this is what ties it all together. During the creation of the group or the resource, you choose the category, and that's what actually applies all of the other parts of the policy. So let's take a look at the payroll category that I created. Gave it a name that's easily identified by the end user. The security level that I had created-- and you can see they're there for selection. The naming rule that I created, and then just gave it a quick description.
Now let's take a look at how this looks to the end user. We are in Paul's profile in the self-service portal. And he's going to use this to create a payroll group. So we're going to go to his gallery, to the groups. It would work the same if he was creating a resource. Say Add a Group.
He selects the type of group he wants to create, the category for payroll groups. And as you can see, our naming rule conventions are in place. And let's just say he's creating an analyst level one group. Notice it highlights if you type it wrong, because the connector in this case was a period, or a dot. I have to put that. The domain it's associated, or the tenant. A brief description. And a reason to the approver of this, which in this case is the directory admin.
You choose an owner. In this case, I'm going to choose myself to be the owner of this. And we'll put a first member in. Once that's completed, you can see he has a pending action here for the approver, which is the directory admin. So I'm going to go to the directory admin, take a look at my approvals. And I'm going to approve or reject. I can also view it to see what the reasons were. And now the group will be created and be available for requests. I hope you found this interesting. Again, please take a look at other resources available for ODGM.