If you no longer need a permission level, you can delete it.
Note: When you delete a permission level, you may be leaving users or groups without their accustomed access to SharePoint. Ensure that you have assigned appropriate permission levels to all affected accounts before deleting a permission level.
To delete a SharePoint permission level
- In the Resource browser, double-click through the farm to locate the required resource.
The security for the resource displays in the lower pane.
- In the lower pane, click the Permission Levels toolbar button.
- In the Permission Levels dialog, select the permission level to be removed.
- Click Delete.
- Click Yes on the confirmation dialog.
- Click OK to exit the Permission Levels dialog.
You can change the permissions in a permission level, and the name or description.
To modify an existing SharePoint permission level
- In the Resource browser, double-click through the farm to locate the required resource.
The security for the resource displays in the lower pane.
- In the lower pane, click the Permission Levels toolbar button.
- In the Permission Levels dialog, in the Permission Levels pane (left pane) select the permission level to be modified and click Modify.
- Modify the name, description and included permissions as needed.
- Click OK to save your selections and close the Permissions dialog.
Note: This functionality is not available for NFS or Cloud managed hosts.
Before managing user or group access to data (for details, see Managing account access), you may want to compare the access for two accounts, or model what would happen if you modified an account’s group membership.
This enables you to model access including:
- identify common or different access between two users or two groups
- identify why two employees in the same department have different access rights
- identify the access permissions granted or lost by adding/removing users to/from groups
The results of an account comparison shows where there are deviations between the two account's access (different access); and where the accounts hold identical access or have the same access but it was obtained differently (similar access).
You can save the results in customized layouts that will help you to see where and if changes are required to your current account access. For ease of use, Data Governance Edition includes predefined layouts that allow you to see the types of access (differences only, similar only), rights held by the source account only, and rights held by the target account only.
The results of an account simulation shows the rights that would be granted or revoked based on the change made to an account's group membership.
Comparing accounts can help you understand the group deployment within your organization. You can easily investigate two groups with similar or identical permissions to determine groups that could be consolidated into one.
Comparing accounts can also be helpful as a troubleshooting tool. If two accounts should have the same access to a resource but one account is being denied access, you can compare their access to see where the differences are found and make the necessary adjustments.
Note: If you see a message in the list of issues that the forest or domain could not be contacted, this could be because the trusted domain has not been synchronized with One Identity Manager.
To compare accounts
-
Navigate to and select an account (through the Security Index node, Accounts view, Security editor, and so on)
- Select Account comparison in the Tasks view or right-click menu.
-
Select one of the following options to define the type of access to be compared:
Note: For machine local trustees, well-known group accounts and built-in group accounts, the account comparison will compare only explicit rights, regardless of the option selected.
-
The Source field defines the source account to be compared. By default, the selected account appears. Click the browse button to locate and select a different source account.
-
The Target field defines the target account to be compared. Click the browse button to locate and select the target account.
-
The Resource Types field defines the types of resources and the managed hosts to be included in the comparison. By default, all resource types and all managed hosts are included.
Click the Change button to limit your comparison to selected resource types or managed hosts. Clicking the Change button displays additional fields allowing you to make your selections:
Note: Running an account comparison against all hosts and resource types could take a significant amount of time to process. It is recommended that you select the hosts and resource types you are interested in to speed up the comparison process.
-
Click Compare to run the account comparison for the selected accounts.
For each resource path to which either account has access, the rights of both accounts are returned. If a column has no entry, that account has no access to the resource. See Account comparison results for more details on how to interpret the results.
-
By default, the Default layout is used to display the results, which shows all resource access available. Other predefined layouts available include:
- Rights Held by Source Only
- Rights Held by Target Only
- Show Differences
-
Show Similar Access
NOTE: You can use the Layout controls to select a predefined layout for displaying data. If you do not see the Layout field or buttons, use the Toggle layout options task to display these controls.
For more information, see Toggle layout options.
-
(Optional) Click the Export to CSV button to export the results to a file. The Save As dialog appears allowing you to select the location where the report is to be saved and to specify a file name.
Note: The exported .CSV file contains more information about the account comparison. For example, it contains the managed host ID which can be used to run scripts or commands against a particular managed host.