Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.2 - User Guide

One Identity Manager Data Governance Edition User Guide Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Cloning, replacing, and removing access for a group of accounts

When you select Manage access for a user or group, you will see all the resources they have access to on the managed hosts within your organization. This access may be both applied directly and indirectly (gained through group membership).

From here, you can select to clone, replace, or remove access for a single account or for multiple users and groups at once. It is important to note that all actions are made on the actual security settings for the resource; actions will not alter group membership.

  • Cloning access grants the selected access to another user or group, while maintaining the existing rights on the selected account.
  • Removing direct access removes the security setting from the resource ACL. For indirect access, the group that is on the ACL is removed - the selected account (the one with the indirect access) remains a member of the group that had the access prior to the removal operation.
  • Replacing access grants the currently configured access to another user or group and removes the access from the original account.

You can view the progress of these changes by selecting Data Governance | Background Operations in the Navigation view.

To clone, replace, or remove access for a group of accounts

  1. In the Navigation view, select Data Governance | Security Index.
  2. In the Accounts result list, double-click a user or group, and select Manage access in the Tasks view.
  3. Browse through the managed hosts and resource types.

  4. In the bottom pane, select the resource and select one of the following tasks from the Tasks view:

    • Clone account access to copy the account access for a new user or group. Select the user or group that you want to have this access, and click OK.

    • Replace account to grant the currently configured access to another user or group. Select the user or group that you want to replace the existing user or group with, and click OK.

    • Remove account to remove the selected account's access from the resource. Click Yes on the confirmation dialog to confirm the operation.

Note: If you see a message in the list of issues that the forest or domain could not be contacted, this could be because the trusted domain has not been synchronized with One Identity Manager.

Adding an account to a resource with no associated access information

Through Windows Active Directory, it is possible to have a resource without associated access information, whether through a null security descriptor (SD) or a null discretionary access control list (DACL). This resource is accessible by all groups and users.

Data Governance Edition enables you to put in place a security measure to eliminate this possibility by adding a user or group to ensure that all resources have access information.

To add an account to a null SD or null DACL

  1. In the Navigation view, select Data Governance | Security Index.

  2. In the Accounts result list, double-click the Null Security Descriptor Alias or the Null Discretionary Access Control List Alias account.

    Note: If you do not see a Null Security Description Alias or Null Discretionary Access Control List Alias in the view, then you have no orphan SDs or DACLs.

  3. In the Tasks view, select Manage access.

    A list of managed hosts and the resources without assigned access display.

  4. Double-click a managed host and select a resource type to see a list of resources with the Null Security Descriptor Alias or Null Discretionary Access Control List Alias.
  5. In the bottom pane, select the resource that you want to secure, and select Edit security in the Tasks view.
  6. In the Edit Resource Security dialog, specify the required permissions and control. Click Save to save your selections.

Working with security permissions

Access to data affects how employees can ultimately perform their day to day tasks. Through the Manager, administrators can manage and set permissions for network objects. For more information, see Viewing the security on objects.

Note: Access can also be granted through the web portal’s IT Shop. Employees access requests follow a defined approval process where authorized persons, the business owner and group owner, can approve or deny requests.

For more information, see Publishing resources to the IT Shop.

Before you can edit permissions, you must be granted the Data Governance | Access Managers application role.

Related Topics

Viewing the security on objects

Modifying discretionary access control list (DACL) permissions for NTFS resources

Modifying auditing system access control list (SACL) permissions for NTFS resources

Managing security deviations

Assigning an owner to a resource

Working with SharePoint security permissions

Viewing the security on objects

You can see and manage the security for a selected resource or a selected account. Once you have located an object, you can see:

  • The users and groups that have access to the object. These can be Active Directory users or groups or SharePoint groups.
  • The level of access, both DACL and SACL, for NTFS objects.
  • The permission level assigned to each user or group.

    For SharePoint, you can see the permissions associated with a particular permission level, and a summary of all the permissions granted by the combination of assigned permission levels.

  • Whether the object has inherited or unique permissions. You cannot edit inherited permissions; however, you can view the details of the assigned permissions.

    For SharePoint, you can switch between inherited and unique, and then configure the unique permissions.

  • The resource and business owner.

For details on managing security on objects, see:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating