立即与支持人员聊天
与支持团队交流

Identity Manager Data Governance Edition 9.2.1 - User Guide

One Identity Manager Data Governance Edition User Guide Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Browsing your environment

A key challenge in improving data governance is keeping track of permissions within your environment. To ensure that data is secured in a manner that meets your business needs, you must be able to easily identify who has been given access and manage that access appropriately.

Once you have added a managed host, you can view access to its data through the:

  • Resource browser: This is a live view of data on the managed host. You can browse through the supported file systems and see all applied permissions and make changes where required. For more information, see Working with security permissions.

    Through the Resource browser you can also identify, in an easy to browse tree view, where the access on a resource differs from its parent and manage that access.For more information, see Managing security deviations.

  • Accounts view: This view displays the security index returned by Data Governance agents, which is controlled by the schedule and settings for each agent. You can browse to an account, and see all the data to which they have access on the managed host. For more information, see Managing account access.
  • Manage access view: This view summarizes the type of data to which an account has access and the specific data of that type. From here, you can also view detailed group membership information. For more information, see Managing account access and Viewing group membership. (You can only manage directly applied access from the Accounts view and the Security Index node. Accounts with indirect access, through group membership, can be managed from the Active Directory view.)

    Note: You can also view governed data access by selecting a user or group’s Account Overview.

    Note: You can also select to manage access from Active Directory users and groups. Select Active Directory in the Navigation view, select the required user or group, and select Manage access from the Tasks view.

Once you have located the data, you can edit the security as required or place it under governance to control access to it. For more information, see Bringing data under governance.

To view the access on a specific resource

  1. In the Navigation view, select Data Governance | Managed hosts.

    Note: To group this view by host type, right-click on the Host Type column header and select Group By This Column. If the Host Type column is not displayed, right-click on the column headers, select Column Chooser and drag Host Type into the column header.

  2. Open the Resource browser using one of the following methods:
    • Double-click the required managed host in the Managed hosts view.
    • Select the required managed host in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
  3. In the Resource browser, double-click through the resources to locate the required resource.

    The Resource browser displays the following information:

    • For a Windows computer, the shares and file system display.
    • For a SharePoint farm, each farm is represented as a hierarchy, with the farm as the top level, followed by web applications, site collections, sites and then the contents of the site. The contents of a list are shown as “list item”, regardless of the type of item in SharePoint. The Resource browser displays a list of the web applications on the selected farm.
    • For a Distributed File System Root, links are displayed at the top level. Browsing into a link shows its target paths and browsing into a target path takes you to the appropriate backing folder. While browsing a backing folder, the Distributed File System path is shown in the Location field at the top of the page.
    • For Cloud managed hosts, each site is represented by a folder hierarchy, with the Home top level site displayed as Site contents folder, followed by all other subsites. Each site contains a Site contents folder encompassing other nested folders. The contents of a site and document library are shown as "folder" type, whereas, files are shown as "file" type items. No other resource types are managed for Cloud managed hosts.

      NOTE: The Resource browser and resource access reports do not display the limited access users or "previewer" accounts.

    You can use the Location field, at the top of the page, to view your current location. If you have navigated too far, you can move back by clicking the Up One Level button.

  4. Select a resource in the top pane to display the permissions applied to that resource.

To view a selected user or group’s access on all managed hosts in your environment

  1. In the Navigation view, select Data Governance | Security Index.
  2. In the Accounts result list, double-click the required user or group.
  3. In the Tasks view, select Manage access.

    All the access points for the selected user or group are displayed. By default, the results are listed by managed host.

  4. Expand a managed host to display all the resources where the selected user or group has access.

    You are able to see if the access has been granted explicitly (Directly held — the account is in the ACL) or through group membership (Indirectly held — the account belongs to a group that is in the ACL).

  5. Browse through the managed hosts and their resources to view and manage the security on the object.

    Once you have located the resource, you can select to manage its access and create reports that detail account access and group membership information.

To view all the users and groups that have access on a specific managed host

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Select the required managed host from the Managed hosts view.
  3. In the Tasks view, select Accounts view.

    All resource types where users and groups have some level of access displays. By default, the results are grouped by resource type.

  4. Expand a resource type to display all the accounts that have access.

    For more information, see Managing account access.

Searching for resources

You can quickly and easily locate specific resources to manage through the search option.

Note: The search feature is not available for SharePoint and DFS managed hosts.

Once you have located the resource, you can place the resource under governance so that it is available to use in policies and attestations, publish it to the IT Shop so that it is available for employees and business owners to request and grant access to it, assign a business owner, or edit the security as required.

To search for a resource

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Open the Resource browser using one of the following methods:
    • Double-click the required managed host in the Managed hosts view.
    • Select the required managed host in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
  3. Select a share or a local path to enable the search controls in the top right corner.
  4. In the search field, enter the search criteria.

    You can use the * character to search for resources. For example, enter Finance* to return all resources that begin with Finance, *.txt returns all resources that end with .txt, and *Fin* returns all resources that contain Fin in their name.

  5. By default all items that match your query are returned. To limit the search results, click the arrow control to the right of the search button and select how many items you would like to return.

    You have the option of returning the top 100, 200, or 500 results, or all the items that match your query.

  6. Click the Search button.

Managing account access

As people join, depart, and move through your organization, you need to change their data access. With Data Governance Edition, you can validate that users and groups have been granted access to all the resources they need, ensure that they do not have access to excess resources, and manage their access when problems arise.

Whether you select to manage a particular user or group through the Security Index node in the Navigation view or through the Accounts view for a selected managed host, you have access to all the detailed security index information that has been returned by the agents within your environment.

You are able to:

  • View the group membership information for the selected account
  • Clone, replace, or remove the account access on a resource
  • Place a resource under governance and publish it to the IT Shop
  • Edit resource security for selected resources

Before altering access for users or groups, you may want to compare accounts or view the potential effects of group membership changes. For more information, see Comparing accounts.

Note: To identify where accounts have access, for SharePoint web apps that use Windows claims, the claim is associated with the relevant Active Directory account for all governed data.

To view access for a specific managed host

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Select the required managed host from the Managed hosts view.
  3. Select Accounts view from the Tasks view or right-click menu.

    All resource types where users and groups have some level of access displays. By default, the results are grouped by resource type. Expand a resource type to display all the accounts that have access.

  4. Browse through the resources, select the required user or group, and select Manage access from the Tasks view or right-click menu.

    The Manage Access view appears displaying the managed hosts where the selected user or group has access.

  5. Select the Group Memberships tab to see how the account has gained access through group membership.

    Note: This tab is not available for SharePoint account types.

    The first level beneath the root is all the groups for which the account is a direct member. The groups contained beneath each of those groups the account has gained access indirectly from the first-level groups, and so on.

  6. Click the pin icon to dock the window and select a group to see their access on all managed hosts within your environment.
  7. Drill down through the managed hosts and the resource types to locate the required resource.

    You are able to see if the access has been granted explicitly (Directly held — the account is in the ACL) or through group membership (Indirectly held — the account belongs to a group that is in the ACL).

  8. Select a resource in the lower pane.

    Once you have located the resource, you can place the resource under governance to secure it; publish it to the IT Shop so that it is available for users and business owners to request and grant access to it; copy, remove, or replace access on the resource; edit the security as required; and create reports that detail account access and group membership information.

To manage access for a specific user or group

  1. In the Navigation view, select Data Governance | Security Index.

    All the users and groups that have been returned by the agent's scan is available in the Accounts result list.

  2. Select the required user or group from the Security Index view and select Manage access from the Tasks view or right-click menu.

    From here, you can see the access for a selected user or group on all managed hosts within your environment. You can quickly see whether this access has been granted explicitly (Directly held — the account is in the ACL) or through group membership (Indirectly held — the account belongs to a group that is in the ACL) and select to manage their access.

  3. Select the Group Memberships tab to see how the account has gained access through group membership.

    The first level beneath the root is all the groups for which the account is a direct member. The groups contained beneath each of those groups the account has gained access indirectly from the first-level groups, and so on.

  4. Click the pin icon to dock the window and select a group to see their access on all managed hosts within your environment.
  5. Drill down through the managed hosts and select the required resource.

    Once you have located the resource, you can place the resource under governance to secure it; publish it to the IT Shop so that it is available for users and business owners to request and grant access to it; copy, remove, or replace access on the resource; edit the security as required; and create reports that detail account access and group membership information.

Related Topics

Viewing group membership

Cloning, replacing, and removing access for a group of accounts

Adding an account to a resource with no associated access information

Bringing data under governance

Working with security permissions

Viewing group membership

Because user and group access may be the result of several layers of nested groups, it may be difficult to assess how a specific account has gained access to a resource. Using the Group Memberships view, you can easily see group membership, computers, and resource types where the user or group has both direct access and indirect access by group membership and ensure that group access is properly assigned.

To view group membership information

  1. In the Navigation view, select Data Governance | Security Index.
  2. Select a user or group in the Security Index view and select Manage access from the Tasks view or right-click menu.
  3. On the Manage Access view, click the Group Memberships tab to view all group members for the selected user or group — both direct and indirect.

    Note: The Group Membership tab is only available for Active Directory users and groups.

    This opens a tree view with the selected account at the root. The first level beneath the root is all the groups for which the account is a direct member. The groups contained beneath each of those groups the account has gained access indirectly from the first-level groups, and so on. This view allows you to select any group to see the resource access granted by being a member of that particular group.

  4. Click the pin icon to dock the window and select a group to see their access on all managed hosts within your environment.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级