Modules - Property and licences [prp]

The module for managing property and licences (prp module) is a tool for creating sets of property or licences and assigning them to individual users. Since CzechIdM already has data about users and often manages the systems for which you purchase licences, it is a great idea to use it to manage your licences and property as well.

• At a glance, you know how many licenses you have available and used.
• You don't pay for licenses that you don't actually need.
• You can use extra funds at the end of the year to purchase new HW because you know, there is no unassigned one.
• You can automate property and licence assignment based on the data from the HR system.
• Each license or property set can have its own business owner who is informed if the items in the set are running out.
• Set items can be assigned automatically or be assigned manually by set owner.

Imagine you have a system managed from CzechIdM which has a limited number of licences available. Each licence cost you money. It would be great if you only paid for the licences you need…

Let's say that you manage Microsoft Office 365 licences simply by adding users as members of a group in MS AD. You have 30 licences for 'Microsoft Office 365 Enterprise E1' but if you use them all, provisioning will fail for the next user. But with this module, this is not an issue. The role assigning this licence will not be added to the user until a licence is available. Also, the set guarantors are notified that more licences are needed.

With this module, you can see how many licences you have in total and how many are available. Perhaps you pay for more licences than you really use. Or maybe you are hiring and you know you will need five more licences so you can purchase them in advance.

Since the module is using data from the HR system, once a user leaves the company, their licence is made available for the next user. This all happens without any action on your side.

Let's say that in your company every developer is given a more powerful laptop than regular employees usually get. With our module, this assignment can be automated thanks to automatic roles. If the user is on a position "Developer" or in some defined treenode, the module can automatically ensure that he will get the more powerful laptop.

Sets of laptops can be configured so that the set owner decides which laptop each developer will receive and record it's S/N.

Using EAV attributes, you can add any number of data about the computer - its manufacturer, OS, the date it was purchased, or its price. And just like with licences, you know how many laptops are available at any time.

There are two main objects to consider: a set (of properties or licences), and a property (or a licence). Most of the behaviour is defined within sets. Each property must belong to a set.

A set is a collection of property or licences. For each set it can be configured whether all items in set are equal/indistinguishable (like in licence pool where only used licence count is important) or unique/distinguishable (like set of laptops where every user is responsible for the one received so there must be agenda of who got what). The behavior and property of items are defined in the set.

An example of a set can be for example 'Microsoft Office 365 Enterprise E1 licence' or 'Laptops for developers'. Each property must be saved within a set.

An ideal set should be:

1. specific enough, so that everyone can understand what the property in this set have in common
2. specific enough, so that a limited number of owners (guarantors) can be defined
3. generic enough, so that multiple property can be subsumed under it

There are three configuration flags:

1. Multiple items per user - if checked, each role assigning item from set assign item separately. Example: Having set of monitors with this options checked, you can create roles role_monitor and role_other_monitor assigning items from this set and to assign two monitors to user just assign him both roles (in case this option is not checked, he will receive only one monitor even having two different roles assigning it)
2. Select property to assign - if checked, when role assigning an item is granted to user, property is not assigned automatically, but there is a request created for set guarantees (or administrator in case there are no set guarantees) to select item from set and assign it to user (in case this option is not checked, first available item is assigned automatically)
3. Confirm property was taken from user - if checked, when role assigning an item is removed from user, property is not unassigned automatically, but there is a request created for set guarantees (or administrator in case there are no set guarantees) to confirm the item was taken from user (in case this option is not checked, item is returned to pool automatically)

Property or licence in a set is assigned to users thanks to role assignment. When the user is assigned the role, they also receive the item from the set. This allow users to use more advanced features such as automatic roles, approval or business roles.

Start by creating the role itself. Set role can be easily created in set detail, see here .

Each role can only be used for one set, i. e., one role cannot assign items from two sets. If this is necessary, use business roles instead.

Since version 1.1.0, if the role is assigned to users before a set role is created, the relevant property will be assigned to users if enough items is available. If not, set role cannot be created and either the role needs to be removed from users or more items need to be added to the set.

Since version 1.2.0, you can choose in set settings whether first available property is assigned with role (unchecked "Select property to assign") or request is created for set guarantees to choose property to be assigned (checked "Select property to assign). Moreover you can choose whether just one property is assigned even by assigning multiple different roles to user (unchecked "Multiple items per user") or each different role assigns its own property (checked "Multiple items per user").

Each set can have its own owners (guarantors), whose responsibility it is to ensure the condition of their sets. See more details here.

When the items in a set are running out, a notification can be sent to guarantors. This is ensured by the task 'Send notification to set guarantors when items in sets are running out'. By default, it is configured to run daily and notify guarantors when fewer than 3 items in the set are remaining. This setting can be globally changed in the Task scheduler.

When no items are available in a set and a user is assigned a set role, a notification is sent to the guarantors to fix the situation because in those cases, the role is not added to the user. See more details here.

You can create a report of all sets and get a nice overview of each set including information about guarantors, roles and the amount of property. See more details here.

You can use a task to import sets. This is useful if you have a large number of sets. See more details here.

Property is an object assigned to users (licence is also a property). A property always must be located in a set. Once the property is created, its set cannot change. Property has some existing attributes (description, serial number), or you can easily create your own using EAV attributes.

Property can also be disabled. If a user is assigned the property already, nothing happens. But if the property is not assigned, it will not be assigned again until it is enabled.

There are two ways of creating new a property or licence: individually, or in bulk.

When creating an item individually, you can fill all the data relevant to the property or licence using the standard menu:

When creating items in bulk, you only specify how many items are to be created. Their code and names are then generated based on the code of the set:

Property is assigned to users simply by assigning a role which is configured in set detail. After the role assignment is approved, in case "Select property to assign" is unchecked, the property is assigned to the user (if available), in case "Select property to assign" is checked, request is created for set guarantees to choose property to be assigned.

In case "Select property to assign" is unchecked, if no property is available in the set, the role is not assigned and set guarantors are notified. If the relevant role is assigned to the user thanks to a business role, then the entire business role will not be assigned. Once property becomes available (either new property is added, or existing property is unassigned from a user), both the role and the property are assigned.

In case "Multiple items per user" is unchecked, a user can only be assigned one item in a set. If they are assigned another set role for the same set, they will not receive another property. In case "Multiple items per user" is checked, every set role for the same set assignes different item from the set.

Since version 1.2.0, an item assigned to a user can be swapped for a different one. It can be performed by action button "Swap item" from table of items:

or from detail page of the assigned item:

These buttons will pop up modal dialog with prefilled readonly currently assigned item and select box for new item to be assigned instead (you can choose from all unassigned enabled items from the same set):

In case item has serial number filled, you can see it there as part of item name.

Property itself does not cause provisioning. Use standard role configuration to ensure provisioning. You can also prevent provisioning if no item in a set is available. This is thanks to the fact that in such cases the role is not assigned to the user.

Each set can have its own attributes to which you can create values for individual property. This allows you to have a different set of attributes for cars, mobile phones, or licences. See this GIF to learn how to add new attribute to items in a set.

You can create a report of all property and get a nice overview of property in sets including information about assignment to users. See more details here.

You can use a task to import property. This is useful if you have a large number of property. See more details here.

See more details here.