Chat now with support
Chat with Support

Identity Manager Data Governance Edition 8.0 - User Guide

Introduction Data Governance navigation node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting Appendix: EMC, NetApp Filer, and SharePoint configuration details Appendix: PowerShell commands Appendix: Governed data attestation policies Appendix: Governed data company policies Appendix: Governed data risk index functions About us

Manage access view

The Manage access view appears when Manage access is selected from the tasks view. From this view, you can see the access for the selected account on all managed hosts within your environment and detailed group membership information. This view consists of the following panes:

  • Access Points: The main pane is the results of a database query that retrieves the hosts a trustee has access to.

    Note: By default, the Filter builtin accounts (Administrators and Users) check box is selected indicating that noisy accounts (that is, accounts with indirect access granted through the BUILTIN\Administrators or BUILTIN\Users accounts) are not included in the view. To include these accounts in the Access Points pane, clear the check box at the top of the view.

  • Detailed Access Information: The lower pane is the result of an agent query that retrieves more information about the resource selected in the Access Points pane.
  • Group Memberships: The left pane displays the group membership information resolved from Active Directory from the Data Governance server.

By default, the results in the Access Points pane are grouped by the host name of managed host. Expand a managed host and select an account in the Access Points pane to display all the resources where the selected user or group has access. Click the Group Memberships tab to view how the account has gained access through group membership. Selecting an account in the Group Memberships pane retrieves and displays the hosts where the selected trustee has access.

Note: This view is not available for NFS managed hosts.

When a resource is selected in the lower pane, you can perform the following tasks.

Table 34: Manage access view: Resource-related tasks
Task Description For more information
Calculate perceived owners

Calculates and provides a list of the perceived owners for the selected resource using the resource activity history or security information.

NOTE: Task is not available for files.
Calculating perceived owner
Clone account access Copies the access rights to grant the selected access to another user or group, while maintaining the existing rights on the selected account. Cloning, replacing, and removing access for a group of accounts
Copy resource path Copies the full path of the resource to the clipboard.  
Copy Share Path

Copies the path of the share to the clipboard.

NOTE: Task is not available for files or folders.
 
Edit security

Displays the Edit Resource Security dialog allowing you to manage the security settings for the selected resource. Right-clicking an account on this dialog allows you to perform the following tasks:

  • Add rights
  • Remove selected permissions
  • Remove all explicit permissions

NOTE: This dialog is the same view displayed in the lower pane of the Resource browser and Deviation view when a resource is selected.
Working with security permissions
Place resource under governance

Places the selected resource under governance, making it available for use in policies and attestations.

NOTE: Task is not available for files.
Placing a resource under governance
Publish to IT Shop

Publishes the select resource(s) to the IT Shop, making it available for employees and business owners to request and grant access to it.

NOTE: Task is not available for files.

NOTE: Not available for resources on Cloud managed hosts.
Publishing resources to the IT Shop
Refresh Retrieves and displays the latest details in the lower pane of the view.  
Remove account

Removes the selected account's access from the resource.

For direct access, remove the security setting from the resource ACL. For indirect access, remove the group that is on the ACL; the selected account (the one with the indirect access) remains a member of the group that had the access prior to the removal operation.

Cloning, replacing, and removing access for a group of accounts
Remove resource from governance

Removes the selected resource from governance.

NOTE: Task is not available for files.
Removing resources from governance
Replace account Replaces access to grant the currently configured access to another user or group and remove the access from the original account. Cloning, replacing, and removing access for a group of accounts
Resource access report Generates a report that identifies the accounts that have access to specific resources within your environment.

Resource access report

Viewing selected reports within the Manager

Resource activity report

Generates a report that provides a list of activities recorded over a period of time to verify proper resource usage and decide whether to remove access for particular accounts.

NOTE: Not available for resources on Cloud managed hosts.

Resource activity report

Viewing selected reports within the Manager

Toggle layout options

Shows or hides the Layout controls at the top of the view, allowing you to change the layout displayed.

Toggle layout options
Unpublish from IT Shop

Removes a previously published resource from the IT Shop.

NOTE: Not available for resources on Cloud managed hosts.
Publishing resources to the IT Shop
View deviations

Displays a tree view of all resources and all sub-resources below the root that have explicit security applied to them and any deviation warnings or errors encountered for the selected resource. As you select resources in the tree, you can view and manage their security.

NOTE: Task is not available for files or shares.

NOTE: Not available for resources on Cloud managed hosts.
Managing security deviations

In addition, you can open the following views.

Table 35: Manage access view: Views
View Description For more information
Account overview

Displays a graphical representation of the information returned by a Data Governance agent for the selected account.

Accounts view
Hosts view Displays the managed hosts where the selected account has access.  
Account comparison

Displays the Account Comparison view allowing you to compare the resource access of two accounts.

NOTE: This feature is not available for Cloud accounts.
Comparing accounts
Account simulation

Displays the Account Simulation view allowing you to simulate changes to group membership to see the access that would be granted or revoked.

NOTE: This feature is not available for Cloud accounts.
Simulating the effects of group membership modifications on an account
Related Topics

Edit resource security dialog

Edit resource security dialog

The Edit resource security dialog allows you to view or modify the security settings for the selected resource. This dialog appears when you select the Edit security task for a given resource on the Manage access view.

This dialog contains the following controls.

Table 36: Edit Resource Security dialog: Controls
Tab Control Description
File Permissions / Folder Permissions Use the File Permissions or Folder Permissions tab to modify discretionary access control list (DACL) permissions for NTFS resources.
  Rights Click the Rights column to alter the permissions as required.
  Applies To Click the Applies To column to select how you want the permissions applied.
Auditing Use the Auditing tab to modify auditing system access control list (SACL) permissions for NTFS resources.
  Rights Click the Rights column to alter the permissions as required.
  Applies To Click the Applies To column to select how you want the permissions applied.
Control Use the Control tab to configure DACL inheritance settings.
  Current Owner of this item Displays the current owner of the selected resource.
  Change Owner Click the Change Owner button to change the owner for the selected resource. Clicking this button displays the Select Objects dialog allowing you to locate and select a different owner.
 

Inheritance From Parent

  • Allow inheritable permissions from the parent to propagate to this object and all child objects
  • Allow inheritable audit settings from the parent to propagate to this object and all child objects.

Use these options to define how you want the settings to be inherited.

NOTE: Clearing either of these check boxes cause inheritance to be blocked. Select the appropriate option on the Block Access Inheritance dialog before clicking OK to confirm this change:
  • Copy all permissions inherited from parent and make explicit (default)
  • Remove all permissions inherited from parent
Related Topics

Working with security permissions

Modifying discretionary access control list (DACL) permissions for NTFS resources

Modifying auditing system access control list (SACL) permissions for NTFS resources

Working with SharePoint security permissions

Managing security deviations

Managing account access

Accounts view

The Accounts view appears when Accounts view is selected from the tasks list or right-click menu. The Accounts view displays the security information returned by Data Governance agents for the selected managed host. All resource types where users or groups have some level of access are included.

You can display the Accounts view from the following views in the Manager:

  • Managed hosts view
  • Resource browser
  • Governed data view

Note: This view is not available for NFS managed hosts.

The following table describes the default information displayed for each account.

Table 37: Accounts view: Default layout
Column title Description
Resource Type

The type of resource:

  • File
  • Folder
  • Local User Rights
  • Operating System Administrative Rights
  • Share
  • Windows Service Identity

NOTE: By default, the display is grouped by resource type. Click the expansion box to the left of a resource type to expand a resource type to display all of the accounts that have access.
Account Name The name of the account that has access.
Account Type

The type of account:

  • Built-in Group
  • Group
  • Special
  • Unknown
  • Machine Local User
  • Office 365 User
  • OneDrive for Business Group
  • SharePoint Online Group
  • User
  • Well known
Namespace

The logical group (namespace) to which the account belongs:

  • Cloud
  • NTFS
  • Windows Computer
  • Service Identities

In addition to the default columns, you can add the following columns to the view using the Column Chooser command.

NOTE: Right-click the column header and select Column Chooser to add hidden columns to the display. In the Customization dialog, double-click the required column or drag and drop it onto the column header bar.

To hide a column, right-click the column header and select Remove This Column. The column is now listed in the Customization dialog and can be re-added to the view as explained above.

Table 38: Accounts view: Hidden columns
Column title Description
Security Identifier (SID) The security identifier (SID) assigned to the account.

Accounts view tasks

When an account is selected in the Accounts view, you can perform the following tasks against the selected account.

Table 39: Accounts view: Tasks
Task Description For more information
Account access report Generates a report displaying the account's resource access across all managed hosts within the enterprise. Selecting this task displays the Account Access dialog allowing you to define the report parameters for running the Account access report.

Account access report

Viewing selected reports within the Manager

Account activity report

Generates a report displaying all the activity for the selected account against specific managed hosts. Selecting this task displays the Account Activity dialog allowing you to define the report parameters for generating the Account activity report.

NOTE:This report is not available for groups.

NOTE: This report is not available for Cloud/Office 365 accounts.

Account activity report

Viewing selected reports within the Manager

Account comparison

Displays the Account Comparison view allowing you to compare the resource access of two accounts.

NOTE: The selected account is pre-populated in the Source field.

NOTE: This feature is not available for Cloud/Office 365 accounts.
Comparing accounts
Account simulation

Displays the Account Simulation view allowing you to simulate changes to group membership to see the access that would be granted or revoked.

NOTE: This feature is not available for Cloud/Office 365 accounts.
Simulating the effects of group membership modifications on an account
Manage access Displays the Manage access view that displays the managed hosts where the selected account has access. From here, you can also view detailed group membership information.

Manage access view

Managing account access

Toggle layout options

Shows or hides the Layout controls at the top of the view, allowing you to change the layout displayed.

Toggle layout options

In addition, you can open the following views.

Table 40: Accounts view: Views
View Description For more information
Resource browser Launches the Resource browser which contains a live view of the data on the selected managed host. You can browse through the supported file systems and see all applied permissions and make changes where required. You can also see where the access on a resource differs from its parent and manage that access.

Resource browser

Browsing your environment

Governed data Displays the Governed data view to view all the resources within the selected host that have been placed under governance.

Governed data view

Managing resources under governance

Related Documents