Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Identity Manager Data Governance Edition 9.2 - User Guide

User Guide Introduction Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Account access modeling

Note: This functionality is not available for NFS or Cloud managed hosts.

Before managing user or group access to data (for details, see Managing account access), you may want to compare the access for two accounts, or model what would happen if you modified an account’s group membership.

This enables you to model access including:

  • identify common or different access between two users or two groups
  • identify why two identities in the same department have different access rights
  • identify the access permissions granted or lost by adding/removing users to/from groups

The results of an account comparison shows where there are deviations between the two account's access (different access); and where the accounts hold identical access or have the same access but it was obtained differently (similar access).

You can save the results in customized layouts that will help you to see where and if changes are required to your current account access. For ease of use, Data Governance Edition includes predefined layouts that allow you to see the types of access (differences only, similar only), rights held by the source account only, and rights held by the target account only.

The results of an account simulation shows the rights that would be granted or revoked based on the change made to an account's group membership.

Comparing accounts

Comparing accounts can help you understand the group deployment within your organization. You can easily investigate two groups with similar or identical permissions to determine groups that could be consolidated into one.

Comparing accounts can also be helpful as a troubleshooting tool. If two accounts should have the same access to a resource but one account is being denied access, you can compare their access to see where the differences are found and make the necessary adjustments.

Note: If you see a message in the list of issues that the forest or domain could not be contacted, this could be because the trusted domain has not been synchronized with One Identity Manager.

To compare accounts

  1. Navigate to and select an account (through the Security Index node, Accounts view, Security editor, and so on)

  2. Select Account comparison in the Tasks view or right-click menu.

  3. Select one of the following options to define the type of access to be compared:

    • Compare explicit and indirect: Select this option to compare all access, including access granted through group membership. This option is selected by default.

    • Compare explicit: Select this option to compare access that has been granted explicitly.

    Note: For machine local trustees, well-known group accounts and built-in group accounts, the account comparison will compare only explicit rights, regardless of the option selected.

  4. The Source field defines the source account to be compared. By default, the selected account appears. Click the browse button to locate and select a different source account.

  5. The Target field defines the target account to be compared. Click the browse button to locate and select the target account.

  6. The Resource Types field defines the types of resources and the managed hosts to be included in the comparison. By default, all resource types and all managed hosts are included.

    Click the Change button to limit your comparison to selected resource types or managed hosts. Clicking the Change button displays additional fields allowing you to make your selections:

    • Host: Click the arrow control to select one or more managed hosts from a list of available managed hosts. To exclude a managed host, click the selected check box to clear it.

    • Type: Click the arrow control to select one or more types from a list of available resource types. To exclude a resource type, click the selected check box to clear it.

    Note: Running an account comparison against all hosts and resource types could take a significant amount of time to process. It is recommended that you select the hosts and resource types you are interested in to speed up the comparison process.

  7. Click Compare to run the account comparison for the selected accounts.

    For each resource path to which either account has access, the rights of both accounts are returned. If a column has no entry, that account has no access to the resource. See Account comparison results for more details on how to interpret the results.

  8. By default, the Default layout is used to display the results, which shows all resource access available. Other predefined layouts available include:

    • Rights Held by Source Only
    • Rights Held by Target Only
    • Show Differences

    • Show Similar Access

    NOTE: You can use the Layout controls to select a predefined layout for displaying data. If you do not see the Layout field or buttons, use the Toggle layout options task to display these controls.

    For more information, see Toggle layout options.

  9. (Optional) Click the Export to CSV button to export the results to a file. The Save As dialog appears allowing you to select the location where the report is to be saved and to specify a file name.

    Note: The exported .CSV file contains more information about the account comparison. For example, it contains the managed host ID which can be used to run scripts or commands against a particular managed host.

Account comparison results

The Account comparison feature in the Manager allows you to compare the access for two accounts. The results are grouped by:

  • Different: Shows account access that is different between the two accounts. That is, where only one account has access or where both accounts have different access to the resource.
  • Similar: Shows account access that is similar for both of the accounts. This can include access rights that are granted indirectly through the same or different group membership or explicitly through different user accounts.

The account comparison results contain the following details.

Different results
Table 45: Account comparison results: Different
Column Description
Resource Name The name of the resource to which one or both of the selected accounts has access.
<Source Account>

Indicates whether the Source account has access to the resource.

  • A blank means that the Source account does not have access to the resource. (Only the Target account has access to the resource.)

  • A green check mark means that the Source account has access to the resource. See the Right and Via Group columns to view the rights granted and whether it was granted directly or indirectly through group membership.

    • When the Source account is the only account with access, the type of access is displayed in the Right column.
    • When both accounts have access to the resource, but the type of access is different, the type of access is shown in parenthesis after the check mark.
<Target Account>

Indicates whether the Target account has access to the resource.

  • A blank means that the Target account does not have access to the resource. (Only the Source account has access to the resource.)

  • A green check mark means that the Target account has access to the resource. See the Right and Via Group columns to view the rights granted and whether it was granted directly or indirectly through group membership.

    • When the Target account is the only account with access, the type of access is displayed in the Right column.
    • When both accounts have access to the resource, but the type of access is different, the type of access is shown in the parenthesis after the check mark.
Right The type of access granted to the resource.
Via Group

Displays the name of the account through which the displayed access (Right column) was granted.

  • When a group name appears, this means that the account has indirect rights granted through group membership.
  • When the user name appears, this means that the account has explicit rights to the resource.
Governed Resource

Indicates whether the resource is governed:

  • True: Resource is governed.
  • Blank: Resource is not governed.
Similar results
Table 46: Account comparison results: Similar
Column Description
Resource Name The name of the resource to which both of the selected accounts have similar access.
<Source Account>

A green check mark indicates that the Source account has access to the resource.

  • When the same explicit rights are granted through different user accounts, the user account appears in parenthesis (Via <User Name>).
  • When the same indirect rights are granted through different group membership, the group appears in parenthesis (Via <Group Name>).
  • When the same indirect rights are granted through the same group membership, the group appears in the Via Group column.

<Target Account>

A green check mark indicates that the Target account has access to the resource.

  • When the same explicit rights are granted through different user accounts, the user account appears in parenthesis (Via <User Name>).
  • When the same indirect rights are granted through different group membership, the group appears in parenthesis (Via <Group Name>).
  • When the same indirect rights are granted through the same group membership, the group appears in the Via Group column.

Right The type of access granted to the resources.
Via Group

When rights are granted through the same group membership, the name of the group through which the access was granted.

Governed Resource

Indicates whether the resource is governed:

  • True: Resource is governed.
  • Blank: Resource is not governed.

Simulating the effects of group membership modifications on an account

Simulating changes to group membership enables you to see the access that would be gained or removed if a user or group had a change to their existing group membership.

Note: Account membership simulation is not supported for machine local trustees, well-known group accounts or built-in group accounts.

Once you have reviewed the results of the simulation, and before making any changes to the group membership, investigate the group membership on all managed hosts for the selected user or group. For details, see Viewing group membership and Managing account access.

To simulate changes to group membership

  1. Navigate to and select an account (through the Security Index node, Accounts view, Security editor, etc.)

  2. Select Account simulation in the Tasks view or right-click menu.

  3. The Account field displays the selected account. Click the browse button to locate and select a different account.

  4. Select the type of modification to be simulated:

    • Remove from Group(s)
    • Add to Group(s)
  5. The Resource Types field defines the types of resources and the managed hosts to be included in the simulation. By default, all resource types and all managed hosts are included.

    Click the Change button to limit your simulation to selected resource types or managed hosts. Clicking the Change button displays additional fields allowing you to make your selections:

    • Type: Click the arrow control to select one or more types from a list of available resource types. To exclude a resource type, click the selected check box to clear it.

    • Host: Click the arrow control to select one or more managed hosts from a list of available managed hosts. To exclude a managed host, click the selected check box to clear it.

    Note: Running an account simulation for all hosts and resource types could take a significant amount of time to process. It is recommended that you select the hosts and resource types you are interested in to speed up the simulation process.

  6. Click the Select Groups button to select the groups to be used in the simulation.

  7. In the Remove Groups or Add Groups dialog, click the Browse Groups button to display the Select User or Group dialog. Locate and select the groups to be included in the simulation and click OK.

    The selected groups appear on the Remove Groups or Add Groups dialog.

    Click the Simulate button.

  8. The results of the simulation appears, showing:
    • For an Add to groups simulation, the resources the selected account will have access to if added to the specified groups.

    • For a Remove from groups simulation, the resources the selected account would no longer have access to if removed from the specified groups.

    See Account simulation results for a more detailed description of the simulation results.

  9. (Optional) Click the Export to CSV button to export the results to a file. The Save As dialog appears allowing you to select the location where the report is to be saved and to specify a file name.

    Note: The exported CSV file contains more information about the account simulation. For example, it contains the managed host ID which can be used to run scripts/commands against a particular managed host.

NOTE: You can use the Layout controls to select a predefined layout for displaying data. If you do not see the Layout field or buttons, use the Toggle layout options task to display these controls.

For more information, see Toggle layout options.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation