Chatee ahora con Soporte
Chat con el soporte

Identity Manager Data Governance Edition 9.2 - User Guide

User Guide Introduction Data Governance node and views Administering Data Governance Edition Managing unstructured data access
Managing resource access Managing account access Working with security permissions Working with SharePoint security permissions Account access modeling Bringing data under governance
Classifying governed resources Managing governed resources using the web portal Data Governance Edition reports Troubleshooting EMC, NetApp Filer, and SharePoint configuration details PowerShell commands Governed data attestation policies Governed data company policies Governed data risk index functions

Managing security deviations

Through the Resource browser you can see how security has been applied on selected resources and implement changes as required. The Deviations view enables you to browse through a tree view and identify where subfolders and files of the identified resources have security that differs from the parent (for example, if inheritance is overridden or blocked).

Note: The Deviations view is not available for NFS managed hosts.

From this view you can also quickly address access issues and edit security where required. This helps you meet your compliance and audit goals by ensuring only authorized users can access the specific resources.

To manage security deviations

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Open the Resource browser using one of the following methods:
    • Double-click the required managed host in the Managed hosts view.
    • Select the required managed host in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
  3. In the Resource browser, double-click through the resources to locate and select the required resource.

  4. In the Tasks view, select View Deviations.

    A tree view displays all resources and all the sub-resources below the root that have explicit security applied to them. As you select resources in the tree, their security displays in the lower pane. To see the deviation warnings or errors encountered for the selected resource, click the Click here to see warnings and errors link.

  5. Select the Folder Permissions tab or File Permissions tab.
  6. To give a user or group access to the selected resource, click in the lower pane and click Add rights in the Tasks view.
    1. Select the account to add and click Next.
    2. Select where to apply the permissions.
    3. Select the permissions to add.
    4. If applicable, select to limit the permissions to only objects and containers within the selected container.
    5. Click Finish.

    Back on the Folder Permissions or File Permissions tab, unsaved changes appear bold.

  7. To remove access, right-click the required account and select Remove all explicit permissions. Click OK to confirm the remove operation.
  8. To alter the access, select the required user or group, and click in the Rights column.
    1. Alter the permissions as required.
    2. Click the Applies To column to select how you want the permissions applied.
  9. Click the Save toolbar button to save your selections.

    You can now browse through the network to ensure that the proper access has been granted or removed.

Assigning an owner to a resource

NOTE: This functionality is not available for NFS managed hosts.

The resource owner is an important security principle, as the owner can alter the permissions (both DACL and SACL) on any of their resources. This should not be confused with the business owner, which is not a security principle, but rather a concept where ownership is based on use and activity.

Data Governance Edition provides reports that suggest an appropriate resource owner for the data so that the IT department knows who to contact with questions regarding securing the associated resource. You can also access this information through the Resource browser. This information can help your organization clearly identify who owns resources within your organization to meet security and privacy compliance requirements.

For details, see Data owner vs. perceived owner report and Calculating perceived owner.

Note: If you see a message in the list of issues that the forest or domain could not be contacted, this could be because the trusted domain has not been synchronized with One Identity Manager.

To change the owner for a resource

  1. In the Navigation view, select Data Governance | Managed hosts.
  2. Open the Resource browser using one of the following methods:
    • Double-click the required managed host in the Managed hosts view.
    • Select the required managed host in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.
  3. In the Resource browser, double-click the folder or container to locate the required resource.
  4. Select the required resource to display the security for the resource in the lower pane. The security for the resource displays in the lower pane.

    You can use the Location field to view your current location. If you have navigated too far, you can move back by clicking the Up One Level button.

  5. Select the Control tab.
  6. The Current Owner of this item field displays the resource's current owner. Click Change Owner to select a new owner for the resource.

  7. Use the Inheritance From Parent options to select whether you would like the permissions and auditing settings to be inherited from the selected object.

    • Allow inheritance permissions from the parent to propagate to this object and all child objects.
    • Allow inheritable audit settings from the parent to propagate to this object and all child objects.
  8. Click the Save toolbar button to save your selections.

Note: This is for the NTFS resource owner only. It does not reference the One Identity Manager's concept of Business Owner.

Working with SharePoint security permissions

As with NTFS resources, SharePoint resources must be properly secured to ensure that users have the appropriate access. For information on the configuration necessary to ensure you can properly manage access, see, Working with security permissions.

Using Data Governance Edition, you can determine who has access to a SharePoint resource, what permissions make up the permission levels that have been assigned, and then manage that access, including the inheritance setting of a resource. If the right permission level does not exist, you can also use Data Governance Edition to create one.

When you change security settings using Data Governance Edition, you are using the One Identity Manager delegation model. This model bypasses native SharePoint to apply the permission changes but the security changes that result use the SharePoint security for enforcement.

Changing the security inheritance on a resource

SharePoint security can either be inherited or unique. If it is inherited, you cannot modify any security settings, as they are defined by a parent resource. A well-structured site can reduce the number of inheritance breakages required to effectively secure your SharePoint resources. When you need to change the setting at a particular point in the hierarchy, you create new unique permissions at that point. By default, all items below the uniquely-permissioned object inherit the settings of its parent.

When you break inheritance, all current permission levels and security settings are copied, and you can then modify them as needed. Although it is easy to change to unique permissions using Data Governance Edition, care should be taken when doing this, as it requires more administration to manage unique permissions.

To change the inheritance on a SharePoint resource

  1. In the Navigation view, select Data Governance | Managed hosts.

  2. Open the Resource browser using one of the following methods:

    • Double-click the required SharePoint farm in the Managed hosts view.

    • Select the required SharePoint farm in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.

    The web applications for the selected farm display. From here you can browse the SharePoint hierarchy.

  3. Double-click through to browse to the required resource.

    When a resource is selected, the security settings for the resource display in the Permissions pane (lower pane).

    One of the following messages appear across the top of the tab indicating whether permissions are inherited or unique:

    • Permissions are unique. Click here to restore inheritance.
    • Permissions are inherited. Click here to break inheritance and edit permissions.
  4. To toggle the inheritance setting, click the message.
  5. Click Yes on the confirmation dialog.

Modifying the permissions on a SharePoint resource

You can add and remove accounts from a SharePoint resource, including sites, libraries, lists, documents, and so on. You can assign Active Directory users and groups, and SharePoint groups. You can also modify the permission levels assigned to each account, if the resource has unique permissions. For more information, see Working with SharePoint permission levels.

Note: If you see a message in the list of issues that the forest or domain could not be contacted, this could be because the trusted domain has not been synchronized with One Identity Manager.

To add or remove accounts from a SharePoint resource

  1. In the Navigation view, select Data Governance | Managed hosts.

  2. Open the Resource browser using one of the following methods:

    • Double-click the required SharePoint farm in the Managed hosts view.

    • Select the required SharePoint farm in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.

    The web applications for the selected farm display. From here, you can browse the SharePoint hierarchy.

  3. Double-click to browse to the required resource.

    When a resource is selected, the security settings for the resource display in the Permissions pane (lower pane).

  4. To add an account, click Add Account, then browse to the required account.

    Note: To add SharePoint groups, ensure that you set the Location to SharePoint. Only groups from the current site are shown.

  5. In the Permissions pane, click in the Permission Levels column that corresponds to the newly added account.

    A pop-up appears displaying all the permission levels available. Select the permissions levels to assign to the new account and press Enter.

  6. To remove an account, select the account in the Permissions pane, click Remove Account and then click Yes.
  7. Click the Save toolbar button to save your selections.

To modify the permission levels assigned to an account

  1. In the Navigation view, select Data Governance | Managed hosts.

  2. Open the Resource browser using one of the following methods:

    • Double-click the required SharePoint farm in the Managed hosts view.

    • Select the required SharePoint farm in the Managed hosts view and select Resource browser from the Tasks view or right-click menu.

    The web applications for the selected farm display in the lower pane.

  3. For the account that you want to manage, click in the corresponding Permission Levels column to display the permission levels list.
  4. Select the required permission levels.

    You can see the permissions included in a permission level by hovering your cursor over the level, and you can hover over an individual permission to see its description.

  5. Press Enter to save your selections and close the permission levels list.
  6. Click the Save toolbar button to save your changes.
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación