Modules - Property and licences [prp]

The module for managing property and licences (prp module) is a tool for creating sets of property or licences and assigning them to individual users. Since CzechIdM already has data about users and often manages the systems for which you purchase licences, it is a great idea to use it to manage your licences and property as well.

• at a glance you know how many items in a set you have so you know that
• you are paying for more licences than you really need
• you can use extra funds at the end of the year to purchase new laptops because there are no more available ones
• you can automate property and licence assignment based on the data from the HR system
• each set can have its own business owner who is informed if the items in the set are running out

Imagine you have a system managed from CzechIdM which has a limited number of licences available. Each licence cost you money. It would be great if you only paid for the licences you need…

Let's say that you manage Microsoft Office 365 licences simply by adding users as members of a group in MS AD. You have 30 licences for 'Microsoft Office 365 Enterprise E1' but if you use them all, provisioning will fail for the next user. But with this module, this is not an issue. The role assigning this licence will not be added to the user until a licence is available. Also, the set guarantors are notified that more licences are needed.

With this module, you can see how many licences you have in total and how many are available. Perhaps you pay for more licences than you really use. Or maybe you are hiring and you know you will need five more licences so you can purchase them in advance.

Since the module is using data from the HR system, once a user leaves the company, their licence is made available for the next user. This all happens without any action on your side.

Let's say that in your company every developer is given a more powerful laptop than users normally do. With our module, this assignment can be automated thanks to automatic roles. If the user is on a position "Developer" or in some defined treenode, the module can automatically note that the will get the laptop.

Using EAV attributes, you can add any number of data about the computer - its manufacturer, OS, the date it was purchased, or its price. And just like with licences, you know how many laptops are available at any time.

There are two main objects to consider: a set (of properties or licences), and a property (or a licence). Most of the behaviour is defined within sets. Each property must belong to a set.

A set is a collection of property or licences. All items in the set are equal. The behavior and property of items are defined in the set.

An example of a set can be for example 'Microsoft Office 365 Enterprise E1 licence' or 'Laptops for developers'. Each property must be saved within a set.

An ideal set should be:

1. specific enough, so that everyone can understand what the property in this set have in common
2. specific enough, so that a limited number of owners (guarantors) can be defined
3. generic enough, so that multiple property can be subsumed under it

Property or licence in a set is assigned to users thanks to role assignment. When the user is assigned the role, they also receive the item from the set. This allow users to use more advanced features such as automatic roles, approval or business roles.

Start by creating the role itself. Set role can be easily created in set detail, see here.

Each role can only be used for one set, i. e., one role cannot assign items from two sets. If this is necessary, use business roles instead.

Since version 1.1.0, if the role is assigned to users before a set role is created, the relevant property will be assigned to users if enough items is available. If not, set role cannot be created and either the role needs to be removed from users or more items need to be added to the set.

Each set can have its own owners (guarantors), whose responsibility it is to ensure the condition of their sets. See more details here.

When the items in a set are running out, a notification can be sent to guarantors. This is ensured by the task 'Send notification to set guarantors when items in sets are running out'. By default, it is configured to run daily and notify guarantors when fewer than 3 items in the set are remaining. This setting can be globally changed in the Task scheduler.

When no items are available in a set and a user is assigned a set role, a notification is sent to the guarantors to fix the situation because in those cases, the role is not added to the user. See more details here.

You can create a report of all sets and get a nice overview of each set including information about guarantors, roles and the amount of property. See more details here.

You can use a task to import sets. This is useful if you have a large number of sets. See more details here.

Property is an object assigned to users (licence is also a property). A property always must be located in a set. Once the property is created, its set cannot change. Property has some existing attributes (description, serial number), or you can easily create your own using EAV attributes.

Property can also be disabled. If a user is assigned the property already, nothing happens. But if the property is not assigned, it will not be assigned again until it is enabled.

There are two ways of creating new a property or licence: individually, or in bulk.

When creating an item individually, you can fill all the data relevant to the property or licence using the standard menu:

When creating items in bulk, you only specify how many items are to be created. Their code and names are then generated based on the code of the set:

Property is assigned to users simply by assigning a role which is configured in set detail. After the role assignment is approved, the property is assigned to the user (if available).

If no property is available in the set, the role is not assigned and set guarantors are notified. If the relevant role is assigned to the user thanks to a business role, then the entire business role will not be assigned. Once property becomes available (either new property is added, or existing property is unassigned from a user), both the role and the property are assigned.

There is currently no way of requesting a specific item from a set. The user is always assigned the first available property.

A user can only be assigned one item in a set. If they are assigned another set role for the same set, they will not receive another property.

Property itself does not cause provisioning. Use standard role configuration to ensure provisioning. You can also prevent provisioning if no item in a set is available. This is thanks to the fact that in such cases the role is not assigned to the user.

Each set can have its own attributes to which you can create values for individual property. This allows you to have a different set of attributes for cars, mobile phones, or licences. See this GIF to learn how to add new attribute to items in a set.

You can create a report of all property and get a nice overview of property in sets including information about assignment to users. See more details here.

You can use a task to import property. This is useful if you have a large number of property. See more details here.

See more details here.