Self-service suitability calculation multipliers
The "best fit" group is determined through a series of calculators that work on various criteria. Each calculator returns a value in the range of -2 to +2:
- Very Bad (-2)
- Bad (-1)
- Neutral (0)
- Good (+1)
- Very Good (+2)
These calculators cannot be changed, but you can modify the positive and negative multipliers by changing the default values defined in the DataGovernanceEdition.Service.exe.config file. The following set of multipliers are used by the self-service calculation system to modify the relative weights of the various suitability calculators.
|
|
NOTE: Keep in mind that the multiplier values are only relative to one another. If you doubled all the multipliers, there would be no change in the resulting set of groups returned to the user. If you want your desired criteria to be considered more importance, set the multipliers on those calculators to be higher relative to the rest. |
NTFS group membership calculation multipliers
Configuration settings:
<add key="SelfService.AccessInheritanceSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.AccessInheritanceSuitabilityProcessor.NegativeMultiplier" value="100"/>
Checks access inheritance: Groups whose rights to the targeted resource are explicit are favorable. Groups that have been delegated access to the targeted resource through inherited permissions are considered less favorable.
- If the permissions have been inherited from some resource higher in the hierarchy, then the requester may be given access to more resources than they've actually requested. (Bad)
- If nothing is gained through inherited access, don't change the suitability. (Neutral)
- If the explicitly held rights are a better match than neutral and there are no inherited rights, then that's good (Good)
<add key="SelfService.AccessSuitabilityProcessor.PositiveMultiplier" value="200"/>
<add key="SelfService.AccessSuitabilityProcessor.NegativeMultiplier" value="500"/>
Checks access rights:
- It is optimal if the access held by the group is exactly what the request requires. (Very good)
- If the group has slightly more access than is required, it may be suggested but considered less favorable. (Good).
- It is detrimental if the group has "dangerous" rights, such as Full Control, Take Ownership, or Change Permissions. (Very bad)
- If the group doesn't have sufficient access to meet the request, it is marked as ineligible for selection. (ineligible).
<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.NegativeMultiplier" value="200"/>
Checks Domain Local group membership:
- If a group contains any Global or Universal groups, then it's likely being used as a resource group. This means that the group should be less desirable for usage as an access provisioning group. (Bad)
- If a group does not contain any Global or Universal groups, then it is most likely used for direct access provisioning and not as a container group. (Very good)
<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.DomainLocalMembershipSuitabilityProcessor.NegativeMultiplier" value="200"/>
Checks group membership rules:
- Global groups that exist in the same domain as the employee are favorable.
- If the group is Universal, the employee must exist in the same forest as the group.
|
|
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results. |
<add key="SelfService.GroupTypeSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.GroupTypeSuitabilityProcessor.NegativeMultiplier" value="200"/>
Checks group type: Based on Microsoft best practices, groups are favored in the following order:
- If the group is a Global group, it is marked as very good.
- If the group is a Universal group, it is marked as good.
- If the group is a Domain Local group, it is marked as bad.
- Domain built-in groups and non-security groups are never considered suitable selections and are marked as ineligible.
<add key="SelfService.OriginInformationSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.OriginInformationSuitabilityProcessor.NegativeMultiplier" value="100"/>
Check origin domain:
- Groups in the same domain as the requesting employee are considered favorable. (Very good)
- Groups from the resource's forest are considered less favorable. (Good)
- Groups from forests outside of the forest of the requesting employee are considered even less favorable. (Bad)
<add key="SelfService.ResourceDistanceSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.ResourceDistanceSuitabilityProcessor.NegativeMultiplier" value="100"/>
Checks distance from resource: The closer the group is to the resource, the better. The further away the groups gets from the ACL, the wore the score.
- Groups directly in the resources access control list are considered favorable.
- A group that is nested one or more steps away from the access control list is considered less favorable.
|
|
NOTE: This calculator never marks a group as very bad. |
SharePoint group access calculation multipliers
Configuration settings:
<add key="SelfService.BestFitPermissionLevelSuitabilityProcessor.PositiveMultiplier" value="300"/>
<add key="SelfService.BestFitPermissionLevelSuitabilityProcessor.NegativeMultiplier" value="100"/>
Choose a group assigned a permission level that best fits the requested access. Not enough rights makes the group Ineligible. Granting any modification permissions when only Contribute permissions are requested makes the group ineligible.
<add key="SelfService.DelegationGrantingPermissionLevelSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.DelegationGrantingPermissionLevelSuitabilityProcessor.NegativeMultiplier" value="100"/>
Groups that contain permission levels that grant a user not only the requested rights, but also give the ability to delegate permissions to others will be marked as ineligible.
<add key="SelfService.FarmAdminAvoidSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.FarmAdminAvoidSuitabilityProcessor.NegativeMultiplier" value="100"/>
Avoid groups that grant farm administrative rights. Farm Admin groups are marked as ineligible, otherwise the group is marked as neutral.
|
|
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results. |
<add key="SelfService.JoinOptionsSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.JoinOptionsSuitabilityProcessor.NegativeMultiplier" value="100"/>
Checks a group's access properties:
- If the group is not a SharePoint group, it is marked as neutral.
- If the auto-accept members flag is set, the group is assumed to be extremely safe and it is marked as very good.
- If a workflow exists for granting access, or current members of the group are able to add others, the group is marked as good.
- If the property that specifies only group members may view the membership is set, the group is assumed to be fairly locked down; therefore, the group is marked as bad.
<add key="SelfService.PermissionsAgreeSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.PermissionsAgreeSuitabilityProcessor.NegativeMultiplier" value="100"/>
Many Windows groups that may be viable through Windows Domain Trusts do not always work in granting SharePoint access because of limitations in SharePoint security checking. This calculator checks to see if SharePoint itself considers the group valid for the requested access. If the effective permissions meet the requirements of the requested permissions, that is very good. Otherwise, it is marked as neutral.
|
|
Note: Since this calculator only marks a group as very good or neutral, changing a multiplier will not change the results. |
<add key="SelfService.NestingSuitabilityProcessor.PositiveMultiplier" value="200"/>
<add key="SelfService.NestingSuitabilityProcessor.NegativeMultiplier" value="100"/>
If the target group is an Active Directory group that is also a member of a SharePoint group, it is marked as very good. Otherwise, it is marked as neutral.
|
|
Note: Since this calculator only marks a group as very good or neutral, changing a multiplier will not change the results. |
<add key="SelfService.PreferActiveDirectoryGroupTypeSuitabilityProcessor.PositiveMultiplier" value="50"/>
<add key="SelfService.PreferActiveDirectoryGroupTypeSuitabilityProcessor.NegativeMultiplier" value="100"/>
Checks the type of group:
- If the group is a SharePoint group, it is marked as neutral.
- If the group is a security-enabled Active Directory group, it is marked as ineligible.
- If the group is a global Active Directory group, it is marked as very good.
- If the group is a universal Active Directory group, it is marked as good.
- If the group is a built-in domain group, it is marked as ineligible.
-
If the group is a local domain group, it is marked as bad.
|
|
Note: The default values when none of these are satisfied mark the group as ineligible. |
<add key="SelfService.PreferSharePointGroupTypeSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.PreferSharePointGroupTypeSuitabilityProcessor.NegativeMultiplier" value="100"/>
Some organizations prefer to use groups that are SharePoint groups because they enhance SharePoint features and delegation within SharePoint itself, as well as allowing self service. This is a trade-off between SharePoint features vs. Active Directory group power in the enterprise. The use of Active Directory groups vs. SharePoint groups as a best practice is a debated topic.
If a group is a SharePoint group, mark it as very good, otherwise mark it as neutral. To avoid SharePoint groups, flip the positive “weight” to a negative number.
<add key="SelfService.SiteCollectionAvoidAdminSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.SiteCollectionAvoidAdminSuitabilityProcessor.NegativeMultiplier" value="100"/>
Avoid groups that grant Site Collection Administrative rights. These groups are marked as ineligible. Otherwise, the group is marked as neutral.
|
|
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results. |
<add key="SelfService.WebAppPolicyAvoidActAsSystemSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.WebAppPolicyAvoidActAsSystemSuitabilityProcessor.NegativeMultiplier" value="100"/>
Avoid groups that would cause the user to gain the Act As System right. These groups are marked as ineligible. Otherwise, the group is marked as neutral.
|
|
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results. |
<add key="SelfService.WebAppPolicyAvoidSiteCollectionRightsSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.WebAppPolicyAvoidSiteCollectionRightsSuitabilityProcessor.NegativeMultiplier" value="100"/>
Avoid groups that Web Application policies grant Site Collection Administrative rights to. These groups are marked as ineligible. Otherwise, the group is marked as neutral.
|
|
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results. |
<add key="SelfService.WebAppPolicyDenySuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.WebAppPolicyDenySuitabilityProcessor.NegativeMultiplier" value="100"/>
Some Farms may have policies denying most users from ever getting permissions that are too high.
- Any rights denied outside the requested permissions are considered neutral.
- A policy can make the group ineligible if it denies rights being requested.
|
|
NOTE: Since this calculator only marks a group with ineligible or neutral, changing a multiplier will not change the results. |
<add key="SelfService.WebAppPolicyGrantSuitabilityProcessor.PositiveMultiplier" value="100"/>
<add key="SelfService.WebAppPolicyGrantSuitabilityProcessor.NegativeMultiplier" value="100"/>
Avoid groups that get rights granted via a Web Application policy (in any zone). The more rights granted, the worse it is. These policies are usually used to grant service accounts, like the Search Service accounts rights, and are not generally good ways to obtain access to resources.
- If the group has MORE than the following permissions, then it is marked as ineligible:
- LIST PERMISSIONS: ViewItems, ViewApplicationPages, OpenItems, ViewVersions, CreateAlerts, ViewApplicationPages
- SITE PERMISSIONS: ViewPages, Open, ViewPages, BrowseUserInformation, UseRemoteInterfaces, UseClientIntegrationFeatures, Open, UseSelfServiceSiteCreation, EditPersonalUserInformation, ApplyThemesAndBorders, ApplyStyleSheets
- PERSONAL PERMISSIONS: ManagePersonalViews, AddRemovePersonalWebParts, UpdatePersonalWebParts
- If the group has MORE than the following permissions, then it is marked as very bad:
- LIST PERMISSIONS: ViewItems, ViewApplicationPages, OpenItems, ViewVersions, CreateAlerts, ViewApplicationPages
- SITE PERMISSIONS: ViewPages, Open, ViewPages, BrowseUserInformation, UseRemoteInterfaces, UseClientIntegrationFeatures, Open, UseSelfServiceSiteCreation, EditPersonalUserInformation
- PERSONAL PERMISSIONS: ManagePersonalViews, AddRemovePersonalWebParts, UpdatePersonalWebParts
- If the group has the EXACTLY the following permissions, then it is marked as bad:
- LIST PERMISSIONS: ViewItems, ViewApplicationPages, OpenItems, ViewVersions, CreateAlerts, ViewApplicationPages
- SITE PERMISSIONS: ViewPages, Open, ViewPages, BrowseUserInformation, UseRemoteInterfaces, UseClientIntegrationFeatures, Open, UseSelfServiceSiteCreation, EditPersonalUserInformation
- PERSONAL PERMISSIONS: ManagePersonalViews, AddRemovePersonalWebParts, UpdatePersonalWebParts
Data Governance agent configuration file settings
The following Data Governance agent configuration file settings can be configured in the DataGovernance.Agent.exe.config file in the Agent Services directory in the agent's installation directory: %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services.
| Configuration setting | Description | ||
|---|---|---|---|
| baseActivePort | Sets the default listening port. | ||
| overrideServerUri | Indicates that the agent is to connect to a specific Uri and not use the results from an Active Directory service connection point search. | ||
|
Dictates the interval of time provided for a connection to the Shim to close before the transport raises an exception.
| |||
|
Dictates the interval of time provided for a connection to open to the Shim before the transport raises an exception.
| |||
|
Dictates the interval of time that a connection can remain inactive, during which time no application messages are received from the Shim before it is dropped.
| |||
|
When writing to the Shim, this setting dictates the interval of time provided for a write operation to complete before the transport raises an exception.
|
| Configuration setting | Description |
|---|---|
| cloudGroupResolutionInSeconds | Sets the number of seconds between scans of Cloud team groups and their members. |
| indexingEnabled (localGroup scanning) | Determines whether local group scanning is enabled. |
| indexingEnabled (local user rights scanning) | Determines whether local user rights scanning is enabled. |
| indexingEnabled (share scanning) | Determines whether share scanning is enabled. |
| localGroupResolutionInSeconds | Sets the number of seconds between scans of local groups. |
| windowsComputerResourceResolutionInSeconds | Sets the number of seconds between full scans of the various resources within the Windows Computer resource namespace. |
| Configuration setting | Description |
|---|---|
| indexingEnabled (service identities scanning) | Determines whether service identities scanning is enabled. |
| serviceIdentityIndexingResolutionInSeconds | Sets the number of seconds between scans of service identities. |
| Configuration setting | Description | ||
|---|---|---|---|
| keepQueryDocuments |
Diagnostic setting used to debug or diagnose issues with agent queries.
|
| Configuration setting | Description |
|---|---|
| numberOfSharepointScanThreads | Defines the number of threads to be used when the agent is scanning the SharePoint object hierarchy in the farm. |
| usageFlushIntervalInSeconds | Sets the frequency (in seconds) at which auditing information being held in memory is flushed to disk. |
| Configuration setting | Description |
|---|---|
| OverrideFPolicyName | Overrides the name of the policy the FPolicy change watcher connects to. |
baseActivePort
Use this setting to change the default listening port.
| Configuration file | %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DataGovernance.Agent.exe.config |
| Section name |
<Section name="Agent"> <Section name="Services"> <Section name="communication"> |
| Setting | <Setting name ="baseActivePort" type="dword"> |
| Value |
Default: 18530 |
| How to modify |
|
| Notes | The agent starts with this port and if it can not get this port, increases it by one until it can open the listening port. |
cloudGroupResolutionInSeconds
Use this configuration settings to change the number of seconds between scans of Cloud team groups and their members.
|
|
NOTE: The agent collects all team groups and their members on startup and once a day thereafter (by default). The agent synchronizes to the server only if there is a change. Any change to this setting is picked up at run time; however, if the setting is set to once a day and is then changed to a smaller value, you must wait until the timer runs before it resets to the new time. You can, however, restart the agent to implement the change immediately. |
| Configuration file | %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Agent Services\DataGovernance.Agent.exe.config |
| Section name |
<Section name="Agent"> <Section name="Services"> <Section name="localGroup"> |
| Setting | <Setting name ="cloudGroupResolutionInSeconds" type="dword"> |
| Value |
Default: 84600 seconds (which is once a day) |
| How to modify |
Replace value as required. |