Permission levels dialog
The Permission levels dialog allows you to view the permissions contained in a SharePoint permission level. From this dialog, you can also create a new SharePoint permissions level or modify or remove an existing permissions level. This dialog appears when you click the Permission Levels toolbar button in the lower pane of the Resource browser.
Note: You must be assigned the Manage Permissions permission for the site collection in order to create or modify permissions.
This dialog contains the following controls.
Table 30: Permission levels dialog: Controls
| Permission Levels |
In the left pane, select a permission level to display its permissions. |
| Permissions |
The permissions included in the selected permissions level are displayed in the right pane. |
|
New |
Click the New button to create a new permissions level. Clicking this button allows you to enter a unique name and description for the new permissions level as well as select the required permissions to be included. |
|
Modify |
Click the Modify button to modify the permissions level selected in the left pane. Clicking this button displays the Permissions dialog, allowing you to modify the name, description and included permissions as needed. |
|
Delete |
Click the Delete button to delete the permissions level selected in the left pane. |
|
OK |
Click the OK button to save your selections and close the dialog. |
|
Cancel |
Click the Cancel button to close the dialog without saving your selections. |
Manage access view
The Manage access view appears when Manage access is selected from the tasks view. From this view, you can see the access for the selected account on all managed hosts within your environment and detailed group membership information. This view consists of the following panes:
By default, the results in the Access Points pane are grouped by the host name of managed host. Expand a managed host and select an account in the Access Points pane to display all the resources where the selected user or group has access. Click the Group Memberships tab to view how the account has gained access through group membership. Selecting an account in the Group Memberships pane retrieves and displays the hosts where the selected trustee has access.
Note: This view is not available for NFS managed hosts.
When a resource is selected in the lower pane, you can perform the following tasks.
Table 31: Manage access view: Resource-related tasks
| Calculate perceived owners |
Calculates and provides a list of the perceived owners for the selected resource using the resource activity history or security information.
NOTE: Task is not available for files. |
Calculating perceived owner |
| Clone account access |
Copies the access rights to grant the selected access to another user or group, while maintaining the existing rights on the selected account. |
Cloning, replacing, and removing access for a group of accounts |
| Copy resource path |
Copies the full path of the resource to the clipboard. |
|
| Copy Share Path |
Copies the path of the share to the clipboard.
NOTE: Task is not available for files or folders. |
|
| Edit security |
Displays the Edit Resource Security dialog allowing you to manage the security settings for the selected resource. Right-clicking an account on this dialog allows you to perform the following tasks:
- Add rights
- Remove selected permissions
- Remove all explicit permissions
NOTE: This dialog is the same view displayed in the lower pane of the Resource browser and Deviation view when a resource is selected. |
Working with security permissions |
| Place resource under governance |
Places the selected resource under governance, making it available for use in policies and attestations.
NOTE: Task is not available for files. |
Placing a resource under governance |
| Publish to IT Shop |
Publishes the select resources to the IT Shop, making it available for employees and business owners to request and grant access to it.
NOTE: Task is not available for files.
NOTE: Not available for resources on Cloud managed hosts. |
Publishing resources to the IT Shop |
| Refresh |
Retrieves and displays the latest details in the lower pane of the view. |
|
| Remove account |
Removes the selected account's access from the resource.
For direct access, remove the security setting from the resource ACL. For indirect access, remove the group that is on the ACL; the selected account (the one with the indirect access) remains a member of the group that had the access prior to the removal operation. |
Cloning, replacing, and removing access for a group of accounts |
| Remove resource from governance |
Removes the selected resource from governance.
NOTE: Task is not available for files. |
Removing resources from governance |
| Replace account |
Replaces access to grant the currently configured access to another user or group and remove the access from the original account. |
Cloning, replacing, and removing access for a group of accounts |
| Resource access report |
Generates a report that identifies the accounts that have access to specific resources within your environment. |
Resource access report
Viewing selected reports within the Manager |
| Resource activity report |
Generates a report that provides a list of activities recorded over a period of time to verify proper resource usage and decide whether to remove access for particular accounts.
NOTE: Not available for resources on Cloud managed hosts. |
Resource activity report
Viewing selected reports within the Manager |
| Toggle layout options |
Shows or hides the Layout controls at the top of the view, allowing you to change the layout displayed. |
Toggle layout options |
| Unpublish from IT Shop |
Removes a previously published resource from the IT Shop.
NOTE: Not available for resources on Cloud managed hosts. |
Publishing resources to the IT Shop |
| View deviations |
Displays a tree view of all resources and all sub-resources below the root that have explicit security applied to them and any deviation warnings or errors encountered for the selected resource. As you select resources in the tree, you can view and manage their security.
NOTE: Task is not available for files or shares.
NOTE: Not available for resources on Cloud managed hosts. |
Managing security deviations |
In addition, you can open the following views.
Table 32: Manage access view: Views
| Account overview |
Displays a graphical representation of the information returned by a Data Governance agent for the selected account. |
Accounts view |
| Hosts view |
Displays the managed hosts where the selected account has access. |
|
| Account comparison |
Displays the Account Comparison view allowing you to compare the resource access of two accounts.
NOTE: This feature is not available for Cloud accounts. |
Comparing accounts |
| Account simulation |
Displays the Account Simulation view allowing you to simulate changes to group membership to see the access that would be granted or revoked.
NOTE: This feature is not available for Cloud accounts. |
Simulating the effects of group membership modifications on an account |
Related Topics
Edit resource security dialog
Edit resource security dialog
The Edit resource security dialog allows you to view or modify the security settings for the selected resource. This dialog appears when you select the Edit security task for a given resource on the Manage access view.
This dialog contains the following controls.
Table 33: Edit Resource Security dialog: Controls
| Share Permissions |
Use the Share Permissions tab to modify the permissions for shares.
This tab is displayed when a share is selected. |
| |
Rights |
Click the Rights column to alter the permissions as required. |
| File Permissions / Folder Permissions |
Use the File Permissions or Folder Permissions tab to modify discretionary access control list (DACL) permissions for NTFS resources. |
| |
Rights |
Click the Rights column to alter the permissions as required. |
| |
Applies To |
Click the Applies To column to select how you want the permissions applied. |
| Auditing |
Use the Auditing tab to modify auditing system access control list (SACL) permissions for NTFS resources. |
| |
Rights |
Click the Rights column to alter the permissions as required. |
| |
Applies To |
Click the Applies To column to select how you want the permissions applied. |
| Control |
Use the Control tab to configure DACL inheritance settings. |
| |
Current Owner of this item |
Displays the current owner of the selected resource. |
| |
Change Owner |
Click the Change Owner button to change the owner for the selected resource. Clicking this button displays the Select User or Group dialog allowing you to locate and select a different owner. |
| |
Inheritance From Parent
- Allow inheritable permissions from the parent to propagate to this object and all child objects
- Allow inheritable audit settings from the parent to propagate to this object and all child objects.
|
Use these options to define how you want the settings to be inherited.
NOTE: Clearing either of these check boxes cause inheritance to be blocked. Select the appropriate option on the Block Access Inheritance dialog before clicking OK to confirm this change:
- Copy all permissions inherited from parent and make explicit (default)
- Remove all permissions inherited from parent
|
Related Topics
Working with security permissions
Modifying discretionary access control list (DACL) permissions for NTFS resources
Modifying auditing system access control list (SACL) permissions for NTFS resources
Working with SharePoint security permissions
Managing security deviations
Managing account access
Accounts view
The Accounts view appears when Accounts view is selected from the tasks list or right-click menu. The Accounts view displays the security information returned by Data Governance agents for the selected managed host. All resource types where users or groups have some level of access are included.
You can display the Accounts view from the following views in the Manager:
- Managed hosts view
- Resource browser
- Governed data view
Note: This view is not available for NFS managed hosts.
The following table describes the default information displayed for each account.
Table 34: Accounts view: Default layout
| Resource Type |
The type of resource:
- File
- Folder
- Local User Rights
- Operating System Administrative Rights
- Share
- Windows Service Identity
NOTE: By default, the display is grouped by resource type. Click the expansion box to the left of a resource type to expand a resource type to display all of the accounts that have access. |
| Account Name |
The name of the account that has access. |
| Account Type |
The type of account:
- Built-in Group
- Group
- Special
- Unknown
- Machine Local User
- Office 365 User
- OneDrive for Business Group
- SharePoint Online Group
- User
- Well known
|
| Namespace |
The logical group (namespace) to which the account belongs:
- Cloud
- NTFS
- Windows Computer
- Service Identities
|
In addition to the default columns, you can add the following columns to the view using the Column Chooser command.
NOTE: Right-click the column header and select Column Chooser to add hidden columns to the display. In the Customization dialog, double-click the required column or drag and drop it onto the column header bar.
To hide a column, right-click the column header and select Remove This Column. The column is now listed in the Customization dialog and can be re-added to the view as explained above.
Table 35: Accounts view: Hidden columns
| Security Identifier (SID) |
The security identifier (SID) assigned to the account. |
