Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Adding an account to a resource with no associated access information

Through Windows Active Directory, it is possible to have a resource without associated access information, whether through a null security descriptor (SD) or a null discretionary access control list (DACL). This resource is accessible by all groups and users.

Data Governance Edition enables you to put in place a security measure to eliminate this possibility by adding a user or group to ensure that all resources have access information.

To add an account to a null SD or null DACL

  1. In the Navigation view, select Data Governance | Security Index.
  2. In the Accounts result list, double-click the Null Security Descriptor Alias or the Null Discretionary Access Control List Alias account.

    Note: If you do not see a Null Security Description Alias or Null Discretionary Access Control List Alias in the view, then you have no orphan SDs or DACLs.

  3. In the Tasks view, select Manage access.

    A list of managed hosts and the resources without assigned access display.

  4. Double-click a managed host and select a resource type to see a list of resources with the Null Security Descriptor Alias or Null Discretionary Access Control List Alias.
  5. In the bottom pane, select the resource that you want to secure, and select Edit security in the Tasks view.
  6. On the Edit Resource Security dialog, specify the required permissions and control. Click Save to save your selections.

Working with security permissions

Access to data affects how employees can ultimately perform their day to day tasks. Through the Manager, administrators can manage and set permissions for network objects. For more information, see Viewing the security on objects.

Note: Access can also be granted through the web portal’s IT Shop. Employees access requests follow a defined approval process where authorized persons, the business owner and group owner, can approve or deny requests.

For more information, see Publishing resources to the IT Shop.

Before you can edit permissions, you must be granted the Data Governance\Access Managers application role.

Related Topics

Viewing the security on objects

Modifying discretionary access control list (DACL) permissions for NTFS resources

Modifying auditing system access control list (SACL) permissions for NTFS resources

Managing security deviations

Assigning an owner to a resource

Working with SharePoint security permissions

Viewing the security on objects

You can see and manage the security for a selected resource or a selected account. Once you have located an object, you can see:

  • The users and groups that have access to the object. These can be Active Directory users or groups or SharePoint groups.
  • The level of access, both DACL and SACL, for NTFS objects.
  • The permission level assigned to each user or group.

    For SharePoint, you can see the permissions associated with a particular permission level, and a summary of all the permissions granted by the combination of assigned permission levels.

  • Whether the object has inherited or unique permissions. You cannot edit inherited permissions; however, you can view the details of the assigned permissions.

    For SharePoint, you can switch between inherited and unique, and then configure the unique permissions.

  • The resource and business owner.

For details on managing security on objects, see:

Modifying discretionary access control list (DACL) permissions for NTFS resources

As the administrator, ensure that users and groups have the access they require to perform their day to day tasks. Using Data Governance Edition, you can determine the existing data access, add users and groups to the resource ACL, edit any existing access, and remove access as required.

Note: You can only modify access that has been explicitly granted, but you can change inheritance from the Control tab when you select to Edit Security for a resource.

Note: If you see a message in the list of issues that the forest or domain could not be contacted, this could be because the trusted domain has not been synchronized with One Identity Manager.

To add, edit or remove access DACL permissions

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Open the Resource browser using one of the following methods:

    • Double-click the required managed host in the Managed hosts view.
    • Select the required managed host in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
  3. In the Resource browser, use the top pane to locate and select the resource. Double-click through the resources to locate the required resource.
  4. Select the required resource to display the security for the resource in the lower pane.

    You can use the Location field, at the top of the tab, to view your current location. If you have navigated too far, you can move back by clicking the Up One Level button ( ).

  5. Select the Folder Permissions tab or File Permissions tab.
  6. To give a user or group access to the selected resource, click in the lower pane and select Add rights in the Tasks view.
    1. Select the account to add and click Next.
    2. Choose where to apply the permissions.
    3. Select the permissions to add.
    4. If applicable, select to limit the permissions to only objects and containers within the selected container.
    5. Click Finish.

    Back on the Folder Permissions or File Permissions tab, unsaved changes appear bold.

  7. To remove access, right-click the required account and select Remove selected permissions. Click OK on the confirmation dialog to confirm the remove operation.
  8. To alter the access, select the required user or group, and click in the Rights column.
    1. Alter the permissions as required.
    2. Click the Applies To column to select how you want the permissions applied.
  9. Click the Save tool bar button located above the Folder Permissions or File Permissions tab to save your selections. Click Yes on the confirmation dialog.

    You can now browse through the network to ensure that the proper access has been granted or removed.

To configure DACL inheritance settings

  1. In the Resource browser, select the Control tab.
  2. Select whether you want the settings to be inherited. The Inheritance from Parent options available include:

    • Allow inheritable permissions from the parent to propagate to this object and all child object.

    • Allow inheritable audit settings from the parent to propagate to this object and all child objects.

    Note: Clearing either of these check boxes cause inheritance to be blocked. Select the appropriate option on the Block Access Inheritance dialog before clicking OK to confirm this change:

    • Copy all permissions inherited from parent and make explicit (default)
    • Remove all permissions inherited from parent
  3. Click the Save tool bar button to save your selection.
Related Documents