The Account comparison feature in the Manager allows you to compare the access for two accounts. The results are grouped by:
- Different: Shows account access that is different between the two accounts. That is, where only one account has access or where both accounts have different access to the resource.
- Similar: Shows account access that is similar for both of the accounts. This can include access rights that are granted indirectly through the same or different group membership or explicitly through different user accounts.
The account comparison results contain the following details.
Different results
Table 56: Account comparison results: Different
| Resource Name |
The name of the resource to which one or both of the selected accounts has access. |
| <Source Account> |
Indicates whether the Source account has access to the resource.
|
| <Target Account> |
Indicates whether the Target account has access to the resource.
|
| Right |
The type of access granted to the resource. |
| Via Group |
Displays the name of the account through which the displayed access (Right column) was granted.
- When a group name appears, this means that the account has indirect rights granted through group membership.
- When the user name appears, this means that the account has explicit rights to the resource.
|
| Governed Resource |
Indicates whether the resource is governed:
- True: Resource is governed.
- Blank: Resource is not governed.
|
Similar results
Table 57: Account comparison results: Similar
| Resource Name |
The name of the resource to which both of the selected accounts have similar access. |
| <Source Account> |
A green check mark indicates that the Source account has access to the resource.
- When the same explicit rights are granted through different user accounts, the user account appears in parenthesis (Via <User Name>).
- When the same indirect rights are granted through different group membership, the group appears in parenthesis (Via <Group Name>).
- When the same indirect rights are granted through the same group membership, the group appears in the Via Group column.
|
| <Target Account> |
A green check mark indicates that the Target account has access to the resource.
- When the same explicit rights are granted through different user accounts, the user account appears in parenthesis (Via <User Name>).
- When the same indirect rights are granted through different group membership, the group appears in parenthesis (Via <Group Name>).
- When the same indirect rights are granted through the same group membership, the group appears in the Via Group column.
|
| Right |
The type of access granted to the resources. |
| Via Group |
When rights are granted through the same group membership, the name of the group through which the access was granted. |
| Governed Resource |
Indicates whether the resource is governed:
- True: Resource is governed.
- Blank: Resource is not governed.
|
Simulating changes to group membership enables you to see the access that would be gained or removed if a user or group had a change to their existing group membership.
Note: Account membership simulation is not supported for machine local trustees, well-known group accounts or built-in group accounts.
Once you have reviewed the results of the simulation, and before making any changes to the group membership, investigate the group membership on all managed hosts for the selected user or group. For details, see Viewing group membership and Managing account access.
To simulate changes to group membership
-
Navigate to and select an account (through the Security Index node, Accounts view, Security editor, etc.)
-
Select Account simulation in the Tasks view or right-click menu.
- The Account field displays the selected account. Click the
browse button to locate and select a different account.
-
Select the type of modification to be simulated:
- Remove from Group(s)
- Add to Group(s)
- The Resource Types field defines the types of resources and the managed hosts to be included in the simulation. By default, all resource types and all managed hosts are included.
Click the Change button to limit your simulation to selected resource types or managed hosts. Clicking the Change button displays additional fields allowing you to make your selections:
Note: Running an account simulation for all hosts and resource types could take a significant amount of time to process. It is recommended that you select the hosts and resource types you are interested in to speed up the simulation process.
- Click the Select Groups button to select the groups to be used in the simulation.
-
In the Remove Groups or Add Groups dialog, click the Browse Groups button to display the Select User or Group dialog. Locate and select the groups to be included in the simulation and click OK.
The selected groups appear on the Remove Groups or Add Groups dialog.
Click the Simulate button.
- The results of the simulation appears, showing:
See Account simulation results for a more detailed description of the simulation results.
-
(Optional) Click the Export to CSV button to export the results to a file. The Save As dialog appears allowing you to select the location where the report is to be saved and to specify a file name.
Note: The exported CSV file contains more information about the account simulation. For example, it contains the managed host ID which can be used to run scripts/commands against a particular managed host.
NOTE: You can use the Layout controls to select a predefined layout for displaying data. If you do not see the Layout field or buttons, use the Toggle layout options task to display these controls.
For more information, see Toggle layout options.
The account simulation feature allows you to simulate changes to group membership before making any changes to the group membership.
- For a "Add to Groups" simulation, you can see the resources the selected account will have access to if added to the specified groups.
- For a "Remove from Groups" simulation, you can see the resources the selected account would no longer have access to if removed from the specified groups.
The results generated by an account simulation contain the following details:
Table 58: Account simulation results
| Simulation Type |
The type of simulation performed:
- Right Granted
- Right Revoked
|
| Resource Name |
The name of the resource, to which the account would be granted access or revoked access. |
| Resource Type |
The type of resource. |
| Right |
The access rights that would be granted or revoked.
- For a "Add to groups" simulation, the right to be granted is prefaced with a plus sign symbol.
- For a "Remove from groups" simulation, the right to be revoked is prefaced with a minus sign symbol.
|
| Via Group |
The name of the group through which access would be granted or revoked. |
| Governed Resource |
Indicates whether the resource is governed.
- True: Resource is governed.
- Blank: Resource is not governed.
|
Use the Add groups dialog to select the groups to be included in an add simulation. This dialog appears when you click the Select Groups button at the top of the Account Simulation view when performing an add to groups simulation.
This dialog contains the following controls:
Table 59: Select groups dialogs: Controls
| Groups list |
Once groups have been selected, this list displays the groups to be included in the simulation. |
|
Browse Groups |
Click the Browse Groups button to display the Select User or Group dialog to locate and select the groups to be included in the simulation. |
|
Simulate |
After selecting the groups to be used in the simulation, click the Simulate button to initiate the simulation process. |
|
Cancel |
Click the Cancel button to close the dialog without saving your selections or launching a simulation. |
