When you select Manage access for a user or group, you will see all the resources they have access to on the managed hosts within your organization. This access may be both applied directly and indirectly (gained through group membership).
From here, you can select to clone, replace, or remove access for a single account or for multiple users and groups at once. It is important to note that all actions are made on the actual security settings for the resource; actions will not alter group membership.
- Cloning access grants the selected access to another user or group, while maintaining the existing rights on the selected account.
- Removing direct access removes the security setting from the resource ACL. For indirect access, the group that is on the ACL is removed - the selected account (the one with the indirect access) remains a member of the group that had the access prior to the removal operation.
- Replacing access grants the currently configured access to another user or group and removes the access from the original account.
You can view the progress of these changes by selecting Data Governance | Background Operations in the Navigation view.
- In the Navigation view, select Data Governance | Security Index.
- In the Accounts result list, double-click a user or group, and select Manage access in the Tasks view.
- Browse through the managed hosts and resource types.
In the bottom pane, select the resource and select one of the following tasks from the Tasks view:
- Clone account access to copy the account access for a new user or group. Select the user or group that you want to have this access, and click OK.
Replace account to grant the currently configured access to another user or group. Select the user or group that you want to replace the existing user or group with, and click OK.
- Remove account to remove the selected account's access from the resource. Click Yes on the confirmation dialog to confirm the operation.
Note: If you see a message in the list of issues that the forest or domain could not be contacted, this could be because the trusted domain has not been synchronized with One Identity Manager.