Enabling Access Fulfillment for an Application

Access fulfillment is enabled per application in the application setting screen, for applications that support fulfillment (See the compatibility table in Compass for the full list)

To enable Access Fulfillment for an application:

  1. Open the configuration screen of the required application.

    1. Navigate to Admin > Applications.

    2. Scroll through the list, or use the filter to find the application.

    3. Click the edit icon on the line of the application.

  2. Press Next until you reach the Access Fulfillment settings page.

    Note: The setting pages and entry fields vary according to the application type.

  3. For non-normalized resources, you can click Enable Access Fulfillment for Revoking Explicit Permissions . See Access Fulfillment for Removal of Explicit Permissions.

  4. Click Enable Access Fulfillment for Normalized Groups.

    Identity Collector

    Fulfillment requires an identity collector in order to run. If you did not select an identity collector in the General Details configuration page, you can select one from the drop down list now.

    If there is no identity collector defined for this application, or if you want to use a different identity collector than the ones in the dropdown list, you can create a new identity collector in the Administrative Client (Applications > Configuration > Permissions Management > Identity Collectors).

    See Create/Edit an Active Directory Identity Collector for more details on creating an identity collector.

    Managed Group OU (DN)

    The organizational unit in which the managed permission groups will be created. Make sure that the chosen identity collector’s user has permissions to create groups under this location (e.g. OU=FileAccessManagerManaged, DC=SailPoint, DC=COM)

    OU refers to an Organizational Unit, and DN refers to a Distinguished Name.

    How to Handle ‘List Folder Contents’ Permissions

    Not relevant for SharePoint

    • Create and manage a dedicated permissions group for it - this is the default value

    • Revoke these permissions

    How to Handle Inexact Permissions Matches

    During the normalization process, the application has to decide what to do with permissions that do not match the normalized permissions.

    • Fail the normalization process

    • Elevate to the nearest permission match

    • Revoke the permission

  5. Open the Advanced Settings panel for additional settings:

    Group Cache Sync Interval(sec)

    This setting will add a pause to the process of setting normalize permissions on the resource. This will allow the endpoint's local AD groups cache to sync the newly created managed groups.

    The default Is 0 - signifying the process will not pause by default.

    Use Template Permission Group

    Template groups are created per application and added as a template to every managed resource. These groups are not managed by File Access Manager, and are usually used to ensure that users who need application-wide access such as backup or archiving users have access.

    Select for each permission group whether File Access Manager should create a group or whether to use an existing group, for the following groups:

    • List Folder Contents

    • Read & Execute

    • Modify

    • Full Control

      If you select Use an Existing Group, select the required group to use from the dropdown list.

      Once an application is enabled for access fulfillment, you can set specific resources to be normalized using the Manage Normalized Resources page.