Chat now with support
Chat with Support

Identity Manager Data Governance Edition 9.2 - User Guide

User Guide Introduction Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Managing account access

As people join, depart, and move through your organization, you need to change their data access. With Data Governance Edition, you can validate that users and groups have been granted access to all the resources they need, ensure that they do not have access to excess resources, and manage their access when problems arise.

Whether you select to manage a particular user or group through the Security Index node in the Navigation view or through the Accounts view for a selected managed host, you have access to all the detailed security index information that has been returned by the agents within your environment.

You are able to:

  • View the group membership information for the selected account
  • Clone, replace, or remove the account access on a resource
  • Place a resource under governance and publish it to the IT Shop
  • Edit resource security for selected resources

Before altering access for users or groups, you may want to compare accounts or view the potential effects of group membership changes. For more information, see Comparing accounts.

Note: To identify where accounts have access, for SharePoint web apps that use Windows claims, the claim is associated with the relevant Active Directory account for all governed data.

To view access for a specific managed host

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Select the required managed host from the Managed hosts view.

  3. Select Accounts view from the Tasks view or right-click menu.

    All resource types where users and groups have some level of access displays. By default, the results are grouped by resource type. Expand a resource type to display all the accounts that have access.

  4. Browse through the resources, select the required user or group, and select Manage access from the Tasks view or right-click menu.

    The Manage Access view appears displaying the managed hosts where the selected user or group has access.

  5. Select the Group Memberships tab to see how the account has gained access through group membership.

    Note: This tab is not available for SharePoint account types.

    The first level beneath the root is all the groups for which the account is a direct member. The groups contained beneath each of those groups the account has gained access indirectly from the first-level groups, and so on.

  6. Click the pin icon to dock the window and select a group to see their access on all managed hosts within your environment.
  7. Drill down through the managed hosts and the resource types to locate the required resource.

    You are able to see if the access has been granted explicitly (Directly held — the account is in the ACL) or through group membership (Indirectly held — the account belongs to a group that is in the ACL).

  8. Select a resource in the lower pane.

    Once you have located the resource, you can place the resource under governance to secure it; publish it to the IT Shop so that it is available for users and business owners to request and grant access to it; copy, remove, or replace access on the resource; edit the security as required; and create reports that detail account access and group membership information.

To manage access for a specific user or group

  1. In the Navigation view, select Data Governance | Security Index.

    All the users and groups that have been returned by the agent's scan is available in the Accounts result list.

  2. Select the required user or group from the Security Index view and select Manage access from the Tasks view or right-click menu.

    From here, you can see the access for a selected user or group on all managed hosts within your environment. You can quickly see whether this access has been granted explicitly (Directly held — the account is in the ACL) or through group membership (Indirectly held — the account belongs to a group that is in the ACL) and select to manage their access.

  3. Select the Group Memberships tab to see how the account has gained access through group membership.

    The first level beneath the root is all the groups for which the account is a direct member. The groups contained beneath each of those groups the account has gained access indirectly from the first-level groups, and so on.

  4. Click the pin icon to dock the window and select a group to see their access on all managed hosts within your environment.
  5. Drill down through the managed hosts and select the required resource.

    Once you have located the resource, you can place the resource under governance to secure it; publish it to the IT Shop so that it is available for users and business owners to request and grant access to it; copy, remove, or replace access on the resource; edit the security as required; and create reports that detail account access and group membership information.

Viewing group membership

Because user and group access may be the result of several layers of nested groups, it may be difficult to assess how a specific account has gained access to a resource. Using the Group Memberships view, you can easily see group membership, computers, and resource types where the user or group has both direct access and indirect access by group membership and ensure that group access is properly assigned.

To view group membership information

  1. In the Navigation view, select Data Governance | Security Index.
  2. Select a user or group in the Security Index view and select Manage access from the Tasks view or right-click menu.

  3. On the Manage Access view, click the Group Memberships tab to view all group members for the selected user or group — both direct and indirect.

    Note: The Group Membership tab is only available for Active Directory users and groups.

    This opens a tree view with the selected account at the root. The first level beneath the root is all the groups for which the account is a direct member. The groups contained beneath each of those groups the account has gained access indirectly from the first-level groups, and so on. This view allows you to select any group to see the resource access granted by being a member of that particular group.

  4. Click the pin icon to dock the window and select a group to see their access on all managed hosts within your environment.

Cloning, replacing, and removing access for a group of accounts

When you select Manage access for a user or group, you will see all the resources they have access to on the managed hosts within your organization. This access may be both applied directly and indirectly (gained through group membership).

From here, you can select to clone, replace, or remove access for a single account or for multiple users and groups at once. It is important to note that all actions are made on the actual security settings for the resource; actions will not alter group membership.

  • Cloning access grants the selected access to another user or group, while maintaining the existing rights on the selected account.
  • Removing direct access removes the security setting from the resource ACL. For indirect access, the group that is on the ACL is removed - the selected account (the one with the indirect access) remains a member of the group that had the access prior to the removal operation.
  • Replacing access grants the currently configured access to another user or group and removes the access from the original account.

You can view the progress of these changes by selecting Data Governance | Background Operations in the Navigation view.

To clone, replace, or remove access for a group of accounts

  1. In the Navigation view, select Data Governance | Security Index.
  2. In the Accounts result list, double-click a user or group, and select Manage access in the Tasks view.
  3. Browse through the managed hosts and resource types.

  4. In the bottom pane, select the resource and select one of the following tasks from the Tasks view:

    • Clone account access to copy the account access for a new user or group. Select the user or group that you want to have this access, and click OK.

    • Replace account to grant the currently configured access to another user or group. Select the user or group that you want to replace the existing user or group with, and click OK.

    • Remove account to remove the selected account's access from the resource. Click Yes on the confirmation dialog to confirm the operation.

Note: If you see a message in the list of issues that the forest or domain could not be contacted, this could be because the trusted domain has not been synchronized with One Identity Manager.

Adding an account to a resource with no associated access information

Through Windows Active Directory, it is possible to have a resource without associated access information, whether through a null security descriptor (SD) or a null discretionary access control list (DACL). This resource is accessible by all groups and users.

Data Governance Edition enables you to put in place a security measure to eliminate this possibility by adding a user or group to ensure that all resources have access information.

To add an account to a null SD or null DACL

  1. In the Navigation view, select Data Governance | Security Index.

  2. In the Accounts result list, double-click the Null Security Descriptor Alias or the Null Discretionary Access Control List Alias account.

    Note: If you do not see a Null Security Description Alias or Null Discretionary Access Control List Alias in the view, then you have no orphan SDs or DACLs.

  3. In the Tasks view, select Manage access.

    A list of managed hosts and the resources without assigned access display.

  4. Double-click a managed host and select a resource type to see a list of resources with the Null Security Descriptor Alias or Null Discretionary Access Control List Alias.
  5. In the bottom pane, select the resource that you want to secure, and select Edit security in the Tasks view.
  6. In the Edit Resource Security dialog, specify the required permissions and control. Click Save to save your selections.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating