Manage access view
The Manage access view appears when Manage access is selected from the tasks view. From this view, you can see the access for the selected account on all managed hosts within your environment and detailed group membership information. This view consists of the following panes:
-
Access Points: The main pane is the results of a database query that retrieves the hosts a trustee has access to.
Note: By default, the Filter builtin accounts (Administrators and Users) check box is selected indicating that noisy accounts (that is, accounts with indirect access granted through the BUILTIN\Administrators or BUILTIN\Users accounts) are not included in the view. To include these accounts in the Access Points pane, clear the check box at the top of the view.
- Detailed Access Information: The lower pane is the result of an agent query that retrieves more information about the resource selected in the Access Points pane.
- Group Memberships: The left pane displays the group membership information resolved from Active Directory from the Data Governance server.
By default, the results in the Access Points pane are grouped by the host name of managed host. Expand a managed host and select an account in the Access Points pane to display all the resources where the selected user or group has access. Click the Group Memberships tab to view how the account has gained access through group membership. Selecting an account in the Group Memberships pane retrieves and displays the hosts where the selected trustee has access.
|
|
Note: This view is not available for NFS managed hosts. |
When a resource is selected in the lower pane, you can perform the following tasks.
| Task | Description | For more information | ||||
|---|---|---|---|---|---|---|
| Calculate perceived owners |
Calculates and provides a list of the perceived owners for the selected resource using the resource activity history or security information.
|
Calculating perceived owner | ||||
| Clone account access | Copies the access rights to grant the selected access to another user or group, while maintaining the existing rights on the selected account. | Cloning, replacing, and removing access for a group of accounts | ||||
| Copy resource path | Copies the full path of the resource to the clipboard. | |||||
| Copy Share Path |
Copies the path of the share to the clipboard.
|
|||||
| Edit security |
Displays the Edit Resource Security dialog allowing you to manage the security settings for the selected resource. Right-clicking an account on this dialog allows you to perform the following tasks:
|
Working with security permissions | ||||
| Place resource under governance |
Places the selected resource under governance, making it available for use in policies and attestations.
|
Placing a resource under governance | ||||
| Publish to IT Shop |
Publishes the select resource(s) to the IT Shop, making it available for employees and business owners to request and grant access to it.
|
Publishing resources to the IT Shop | ||||
| Refresh | Retrieves and displays the latest details in the lower pane of the view. | |||||
| Remove account |
Removes the selected account's access from the resource. For direct access, remove the security setting from the resource ACL. For indirect access, remove the group that is on the ACL; the selected account (the one with the indirect access) remains a member of the group that had the access prior to the removal operation. |
Cloning, replacing, and removing access for a group of accounts | ||||
| Remove resource from governance |
Removes the selected resource from governance.
|
Removing resources from governance | ||||
| Replace account | Replaces access to grant the currently configured access to another user or group and remove the access from the original account. | Cloning, replacing, and removing access for a group of accounts | ||||
| Resource access report | Generates a report that identifies the accounts that have access to specific resources within your environment. | |||||
| Resource activity report |
Generates a report that provides a list of activities recorded over a period of time to verify proper resource usage and decide whether to remove access for particular accounts.
|
|||||
| Toggle layout options |
Shows or hides the Layout controls at the top of the view, allowing you to change the layout displayed. |
Toggle layout options | ||||
| Unpublish from IT Shop |
Removes a previously published resource from the IT Shop.
|
Publishing resources to the IT Shop | ||||
| View deviations |
Displays a tree view of all resources and all sub-resources below the root that have explicit security applied to them and any deviation warnings or errors encountered for the selected resource. As you select resources in the tree, you can view and manage their security.
|
Managing security deviations |
In addition, you can open the following views.
| View | Description | For more information | ||
|---|---|---|---|---|
| Account overview |
Displays a graphical representation of the information returned by a Data Governance agent for the selected account. |
Accounts view | ||
| Hosts view | Displays the managed hosts where the selected account has access. | |||
| Account comparison |
Displays the Account Comparison view allowing you to compare the resource access of two accounts.
|
Comparing accounts | ||
| Account simulation |
Displays the Account Simulation view allowing you to simulate changes to group membership to see the access that would be granted or revoked.
|
Simulating the effects of group membership modifications on an account |
Related Topics
Edit resource security dialog
The Edit resource security dialog allows you to view or modify the security settings for the selected resource. This dialog appears when you select the Edit security task for a given resource on the Manage access view.
This dialog contains the following controls.
| Tab | Control | Description | ||
|---|---|---|---|---|
| File Permissions / Folder Permissions | Use the File Permissions or Folder Permissions tab to modify discretionary access control list (DACL) permissions for NTFS resources. | |||
| Rights | Click the Rights column to alter the permissions as required. | |||
| Applies To | Click the Applies To column to select how you want the permissions applied. | |||
| Auditing | Use the Auditing tab to modify auditing system access control list (SACL) permissions for NTFS resources. | |||
| Rights | Click the Rights column to alter the permissions as required. | |||
| Applies To | Click the Applies To column to select how you want the permissions applied. | |||
| Control | Use the Control tab to configure DACL inheritance settings. | |||
| Current Owner of this item | Displays the current owner of the selected resource. | |||
| Change Owner | Click the Change Owner button to change the owner for the selected resource. Clicking this button displays the Select Objects dialog allowing you to locate and select a different owner. | |||
|
Inheritance From Parent
|
Use these options to define how you want the settings to be inherited.
| |||
Related Topics
Working with security permissions
Modifying discretionary access control list (DACL) permissions for NTFS resources
Modifying auditing system access control list (SACL) permissions for NTFS resources
Working with SharePoint security permissions
Accounts view
The Accounts view appears when Accounts view is selected from the tasks list or right-click menu. The Accounts view displays the security information returned by Data Governance agents for the selected managed host. All resource types where users or groups have some level of access are included.
You can display the Accounts view from the following views in the Manager:
- Managed hosts view
- Resource browser
- Governed data view
|
|
Note: This view is not available for NFS managed hosts. |
The following table describes the default information displayed for each account.
| Column title | Description | ||
|---|---|---|---|
| Resource Type |
The type of resource:
| ||
| Account Name | The name of the account that has access. | ||
| Account Type |
The type of account:
| ||
| Namespace |
The logical group (namespace) to which the account belongs:
|
In addition to the default columns, you can add the following columns to the view using the Column Chooser command.
|
|
NOTE: Right-click the column header and select Column Chooser to add hidden columns to the display. In the Customization dialog, double-click the required column or drag and drop it onto the column header bar. To hide a column, right-click the column header and select Remove This Column. The column is now listed in the Customization dialog and can be re-added to the view as explained above. |
| Column title | Description |
|---|---|
| Security Identifier (SID) | The security identifier (SID) assigned to the account. |
Accounts view tasks
When an account is selected in the Accounts view, you can perform the following tasks against the selected account.
| Task | Description | For more information | ||||
|---|---|---|---|---|---|---|
| Account access report | Generates a report displaying the account's resource access across all managed hosts within the enterprise. Selecting this task displays the Account Access dialog allowing you to define the report parameters for running the Account access report. | |||||
| Account activity report |
Generates a report displaying all the activity for the selected account against specific managed hosts. Selecting this task displays the Account Activity dialog allowing you to define the report parameters for generating the Account activity report.
|
|||||
| Account comparison |
Displays the Account Comparison view allowing you to compare the resource access of two accounts.
|
Comparing accounts | ||||
| Account simulation |
Displays the Account Simulation view allowing you to simulate changes to group membership to see the access that would be granted or revoked.
|
Simulating the effects of group membership modifications on an account | ||||
| Manage access | Displays the Manage access view that displays the managed hosts where the selected account has access. From here, you can also view detailed group membership information. | |||||
| Toggle layout options |
Shows or hides the Layout controls at the top of the view, allowing you to change the layout displayed. |
Toggle layout options |
In addition, you can open the following views.
| View | Description | For more information |
|---|---|---|
| Resource browser | Launches the Resource browser which contains a live view of the data on the selected managed host. You can browse through the supported file systems and see all applied permissions and make changes where required. You can also see where the access on a resource differs from its parent and manage that access. | |
| Governed data | Displays the Governed data view to view all the resources within the selected host that have been placed under governance. |