Skip to main content

HelloID

Resources

Resources are objects that execute code in PowerShell target systems or PowerShell v2 target systems just prior to Enforcement.

2021-11-18_15-08-59.png

To get started, Add a resource and Run with resources. Also see Resource create script.

Resources pair particularly well with Permissions. For example, the most common use case for resources is to dynamically create user groups in the target system based on Contracts data such as department, location, or job title. Thus, the target groups become available just-in-time for the enforcement process to grant group memberships via Permission entitlements.

Although creating target groups is the most common use case, resources can run any arbitrary PowerShell code. You are not limited to creating groups.

Tip

The key difference between Permissions and Resources is that HelloID tracks the state of permissions by treating them as Entitlements, whereas it does not track the state of resources. To verify if a resource exists, you simply query the external system in your PowerShell code. This also means that there is no special way to "revoke" resources, beyond what you manually script.

When a resource script is executed (just prior to enforcement), it iterates over the selected Contracts field for all persons with a non-empty value. It performs one action in the target system per unique value found. For example, if five users have the department Marketing, three users have Engineering, two users have Sales, and one user has Administration, the resources script will create just four corresponding, unique groups: Marketing, Engineering, Sales, and Administration.

Be aware that if the raw source system data is inconsistent, you will end up with unwanted duplicate resource actions. For example, if one user in your organization's marketing department has the department Marketing, and another has MarketingDept, two unique groups will be created. To avoid this, inspect & clean your raw source data for the selected contract field and Run a manual import prior to creating the resource.

Script execution time is capped at 10 minutes. If multiple resources exist, they run in parallel. Separate resource scripts cannot communicate with one another. There is no limit to the number of resources you can create.

Resources only support contract fields. They do not support person fields. If you need to configure a resource based on a person object field, then map the relevant field onto the contract schema in addition to the person schema in Source mappings.

Resources are not included in Evaluation. To preview a resource, use the preview feature associated with its PowerShell script.

All results are entered into the target system's Audit logs. Since resources are scoped to the target system, there will be no data in the Person column of the log entries.