Chat now with support
Chat with Support

Change Auditor - For Advanced Users 7.1 - Technical Insight Guide

Change Auditor Services Change Auditor licensing processes Component Start-up Considerations Change Auditor network communications Coordinator internal tasks Registry Settings Change Auditor built-in fault tolerance Change Auditor protection Database Considerations Account exclusions best practices

How access rules are evaluated

When a user attempts to access a protected object, each template is evaluated separately, and the ‘deny’ access rule takes precedence over any ‘allow’ access rule. This means, that if at least one protection template evaluates to ‘deny’, attempts to access the protected object is denied. The following table illustrates the overall results of conflicting access rules:

User is allowed access

User is allowed access

User is allowed to access protected objects

User is allowed access

User is denied access

User is denied access to protected objects

User is denied access

User is allowed access

User is denied access to protected objects

User is denied access

User is denied access

User is denied access to protected objects

For Exchange Mailbox Protection templates, you can set the Mailbox owner can bypass protection option to allow the object’s owner to access his or her own mailbox, even if the protection template would normally deny access.

This override flag only affects the evaluation on a template where it is defined. It does not affect the evaluation of other protection templates.

How scheduling and location works with denied access

You can select to have the protection to always run or have it run only during specific times and control when the protection is enabled based on the location.

This section explains how the scheduling and location options affect the user and group accounts that have been denied access to protected objects.

If you have denied specific users or groups the ability to change the protected objects and you have enabled a protection schedule, those users or groups are denied access only during this time. Anytime outside of when the schedule is set to enabled, these denied accounts WILL be able to access the protected object.

When the schedule is disabled, all options are disabled with it, including any denied access to the specified users.

The scheduling options override all other protection settings.

If you have denied specific users or groups access to protected objects, but you have specified locations that can access the protected object, the denied user or group can access the protected objects from these locations.

The location options override all other protection settings.

 

 

Database Considerations

How to move the Change Auditor database and coordinator to another server

Select Tasks | Detach.
On the General page of the Attach Databases screen, click Add and select the database you copied over.

If you plan to replace the old Change Auditor coordinator/server, install a newer version of Change Auditor and it connects your existing agents to the new Change Auditor server without a problem. Make sure that you join the existing installation.

Use the following steps if your SQL database is already on another server and you do not plan to move it. This scenario installs a second Change Auditor coordinator and then disables and uninstalls the first one. All agents transition over to the new Change Auditor server.

Related Documents