Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.0 LTS - User Guide

One Identity Manager Data Governance Edition User Guide Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Permission levels dialog

The Permission levels dialog allows you to view the permissions contained in a SharePoint permission level. From this dialog, you can also create a new SharePoint permissions level or modify or remove an existing permissions level. This dialog appears when you click the Permission Levels toolbar button in the lower pane of the Resource browser.

Note: You must be assigned the Manage Permissions permission for the site collection in order to create or modify permissions.

This dialog contains the following controls.

Table 30: Permission levels dialog: Controls
Control Description
Permission Levels

In the left pane, select a permission level to display its permissions.

Permissions The permissions included in the selected permissions level are displayed in the right pane.

New

Click the New button to create a new permissions level. Clicking this button allows you to enter a unique name and description for the new permissions level as well as select the required permissions to be included.

Modify

Click the Modify button to modify the permissions level selected in the left pane. Clicking this button displays the Permissions dialog, allowing you to modify the name, description and included permissions as needed.

Delete

Click the Delete button to delete the permissions level selected in the left pane.

OK

Click the OK button to save your selections and close the dialog.

Cancel

Click the Cancel button to close the dialog without saving your selections.

Manage access view

The Manage access view appears when Manage access is selected from the tasks view. From this view, you can see the access for the selected account on all managed hosts within your environment and detailed group membership information. This view consists of the following panes:

  • Access Points: The main pane is the results of a database query that retrieves the hosts a trustee has access to.

    Note: By default, the Filter builtin accounts (Administrators and Users) check box is selected indicating that noisy accounts (that is, accounts with indirect access granted through the BUILTIN\Administrators or BUILTIN\Users accounts) are not included in the view. To include these accounts in the Access Points pane, clear the check box at the top of the view.

  • Detailed Access Information: The lower pane is the result of an agent query that retrieves more information about the resource selected in the Access Points pane.
  • Group Memberships: The left pane displays the group membership information resolved from Active Directory from the Data Governance server.

By default, the results in the Access Points pane are grouped by the host name of managed host. Expand a managed host and select an account in the Access Points pane to display all the resources where the selected user or group has access. Click the Group Memberships tab to view how the account has gained access through group membership. Selecting an account in the Group Memberships pane retrieves and displays the hosts where the selected trustee has access.

Note: This view is not available for NFS managed hosts.

When a resource is selected in the lower pane, you can perform the following tasks.

Table 31: Manage access view: Resource-related tasks
Task Description For more information
Calculate perceived owners

Calculates and provides a list of the perceived owners for the selected resource using the resource activity history or security information.

NOTE: Task is not available for files.

Calculating perceived owner
Clone account access Copies the access rights to grant the selected access to another user or group, while maintaining the existing rights on the selected account. Cloning, replacing, and removing access for a group of accounts
Copy resource path Copies the full path of the resource to the clipboard.  
Copy Share Path

Copies the path of the share to the clipboard.

NOTE: Task is not available for files or folders.

 
Edit security

Displays the Edit Resource Security dialog allowing you to manage the security settings for the selected resource. Right-clicking an account on this dialog allows you to perform the following tasks:

  • Add rights
  • Remove selected permissions
  • Remove all explicit permissions

NOTE: This dialog is the same view displayed in the lower pane of the Resource browser and Deviation view when a resource is selected.

Working with security permissions
Place resource under governance

Places the selected resource under governance, making it available for use in policies and attestations.

NOTE: Task is not available for files.

Placing a resource under governance
Publish to IT Shop

Publishes the select resources to the IT Shop, making it available for employees and business owners to request and grant access to it.

NOTE: Task is not available for files.

NOTE: Not available for resources on Cloud managed hosts.

Publishing resources to the IT Shop
Refresh Retrieves and displays the latest details in the lower pane of the view.  
Remove account

Removes the selected account's access from the resource.

For direct access, remove the security setting from the resource ACL. For indirect access, remove the group that is on the ACL; the selected account (the one with the indirect access) remains a member of the group that had the access prior to the removal operation.

Cloning, replacing, and removing access for a group of accounts
Remove resource from governance

Removes the selected resource from governance.

NOTE: Task is not available for files.

Removing resources from governance
Replace account Replaces access to grant the currently configured access to another user or group and remove the access from the original account. Cloning, replacing, and removing access for a group of accounts
Resource access report Generates a report that identifies the accounts that have access to specific resources within your environment.

Resource access report

Viewing selected reports within the Manager

Resource activity report

Generates a report that provides a list of activities recorded over a period of time to verify proper resource usage and decide whether to remove access for particular accounts.

NOTE: Not available for resources on Cloud managed hosts.

Resource activity report

Viewing selected reports within the Manager

Toggle layout options

Shows or hides the Layout controls at the top of the view, allowing you to change the layout displayed.

Toggle layout options
Unpublish from IT Shop

Removes a previously published resource from the IT Shop.

NOTE: Not available for resources on Cloud managed hosts.

Publishing resources to the IT Shop
View deviations

Displays a tree view of all resources and all sub-resources below the root that have explicit security applied to them and any deviation warnings or errors encountered for the selected resource. As you select resources in the tree, you can view and manage their security.

NOTE: Task is not available for files or shares.

NOTE: Not available for resources on Cloud managed hosts.

Managing security deviations

In addition, you can open the following views.

Table 32: Manage access view: Views
View Description For more information
Account overview

Displays a graphical representation of the information returned by a Data Governance agent for the selected account.

Accounts view
Hosts view Displays the managed hosts where the selected account has access.  
Account comparison

Displays the Account Comparison view allowing you to compare the resource access of two accounts.

NOTE: This feature is not available for Cloud accounts.

Comparing accounts
Account simulation

Displays the Account Simulation view allowing you to simulate changes to group membership to see the access that would be granted or revoked.

NOTE: This feature is not available for Cloud accounts.

Simulating the effects of group membership modifications on an account
Related Topics

Edit resource security dialog

Edit resource security dialog

The Edit resource security dialog allows you to view or modify the security settings for the selected resource. This dialog appears when you select the Edit security task for a given resource on the Manage access view.

This dialog contains the following controls.

Table 33: Edit Resource Security dialog: Controls
Tab Control Description
Share Permissions

Use the Share Permissions tab to modify the permissions for shares.

This tab is displayed when a share is selected.

 

Rights

Click the Rights column to alter the permissions as required.
File Permissions / Folder Permissions Use the File Permissions or Folder Permissions tab to modify discretionary access control list (DACL) permissions for NTFS resources.
 

Rights

Click the Rights column to alter the permissions as required.
  Applies To Click the Applies To column to select how you want the permissions applied.
Auditing Use the Auditing tab to modify auditing system access control list (SACL) permissions for NTFS resources.
  Rights Click the Rights column to alter the permissions as required.
  Applies To Click the Applies To column to select how you want the permissions applied.
Control Use the Control tab to configure DACL inheritance settings.
  Current Owner of this item Displays the current owner of the selected resource.
 

Change Owner

Click the Change Owner button to change the owner for the selected resource. Clicking this button displays the Select User or Group dialog allowing you to locate and select a different owner.
 

Inheritance From Parent

  • Allow inheritable permissions from the parent to propagate to this object and all child objects
  • Allow inheritable audit settings from the parent to propagate to this object and all child objects.

Use these options to define how you want the settings to be inherited.

NOTE: Clearing either of these check boxes cause inheritance to be blocked. Select the appropriate option on the Block Access Inheritance dialog before clicking OK to confirm this change:

  • Copy all permissions inherited from parent and make explicit (default)
  • Remove all permissions inherited from parent
Related Topics

Working with security permissions

Modifying discretionary access control list (DACL) permissions for NTFS resources

Modifying auditing system access control list (SACL) permissions for NTFS resources

Working with SharePoint security permissions

Managing security deviations

Managing account access

Accounts view

The Accounts view appears when Accounts view is selected from the tasks list or right-click menu. The Accounts view displays the security information returned by Data Governance agents for the selected managed host. All resource types where users or groups have some level of access are included.

You can display the Accounts view from the following views in the Manager:

  • Managed hosts view
  • Resource browser
  • Governed data view

Note: This view is not available for NFS managed hosts.

The following table describes the default information displayed for each account.

Table 34: Accounts view: Default layout
Column title Description
Resource Type

The type of resource:

  • File
  • Folder
  • Local User Rights
  • Operating System Administrative Rights
  • Share
  • Windows Service Identity

NOTE: By default, the display is grouped by resource type. Click the expansion box to the left of a resource type to expand a resource type to display all of the accounts that have access.

Account Name The name of the account that has access.
Account Type

The type of account:

  • Built-in Group
  • Group
  • Special
  • Unknown
  • Machine Local User
  • Office 365 User
  • OneDrive for Business Group
  • SharePoint Online Group
  • User
  • Well known
Namespace

The logical group (namespace) to which the account belongs:

  • Cloud
  • NTFS
  • Windows Computer
  • Service Identities

In addition to the default columns, you can add the following columns to the view using the Column Chooser command.

NOTE: Right-click the column header and select Column Chooser to add hidden columns to the display. In the Customization dialog, double-click the required column or drag and drop it onto the column header bar.

To hide a column, right-click the column header and select Remove This Column. The column is now listed in the Customization dialog and can be re-added to the view as explained above.

Table 35: Accounts view: Hidden columns
Column title Description
Security Identifier (SID) The security identifier (SID) assigned to the account.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating