Skip to content

Configuring and Scheduling the Permissions Collection

Permissions can be analyzed to determine the application permissions of an application, provided you have defined an identity store for Data Access Security to use in its analysis, and you have run a crawl for the application.

Users should always run the crawl task before running a permission collection task.

To configure the permission collector: 1. Go to Admin > Applications. 2. Scroll through the list, or use the filter to find the application. 3. Click the edit icon on the line of the application. 4. Select Next until you reach the Crawler & Permissions Collection settings page.

Note

The entry fields vary by application type.

When entering this page in edit mode, navigate between the various configuration windows using the Next and Back buttons.

Scheduling a Task

To create a schedule:

  1. Select Create a Schedule.
  2. The system will provide a Schedule Task Name in the format {appName} - {type} Scheduler. Choose to keep or override this suggestion.
  3. Select a scheduling frequency from the dropdown list.

    Schedule Frequency Options
    • Once - Single execution task runs.
    • Run After - Create dependency of tasks. The task starts running only upon successful completion of the first task.
    • Hourly - Set the start time.
    • Daily - Set the start date and time.
    • Weekly - Set the day(s) of the week on which to run.
    • Monthly - Set the day of the month on which to run a task.
    • Quarterly - Set a monthly schedule with an interval of 3 months.
    • Half Yearly - Set a monthly schedule with an interval of 6 months.
    • Yearly - Set a monthly schedule with an interval of 12 months.
  4. Fill the Date and Time field with scheduling times. These fields differ depending upon the scheduling frequency selected.

  5. Select the Active checkbox to activate the schedule.
  6. Select Next.

Configuring and Scheduling the Crawler

To set or edit the Crawler configuration and scheduling

  • Open the edit screen of the required application.
  • Navigate to Admin > Applications.
  • Scroll through the list, or use the filter to find the application.
  • Click the edit icon on the line of the application.
  • Press Next until you reach the Crawler & Permissions Collection settings page. The actual entry fields vary according to the application type.

Calculate Resource Size

Determine when, or at what frequency, Data Access Security calculates the resources' size.

Select one of the following:

  • Never
  • Always
  • Second crawl and on (This is the default)

Create a Schedule

Click to open the schedule panel.

Setting the Crawl Scope

There are several options to set the crawl scope:

  • Setting explicit list of resources to include and / or exclude from the scan.
  • Creating a regex to define resources to exclude.

Including and Excluding Paths by List

To set the paths to include or exclude in the crawl process for an application

  • Open the edit screen of the required application.
  • Navigate to Admin > Applications.
  • Scroll through the list, or use the filter to find the application.
  • Click the edit icon on the line of the application.
  • Press Next until you reach the Crawler & Permissions Collection settings page. The actual entry fields vary according to the application type.

  • Scroll down to the Crawl configuration settings.

  • Click Advanced Crawl Scope Configuration to open the scope configuration panel.
  • Click Include / Exclude Resources to open the input fields.
  • To add a resource to a list, type in the full path to include / exclude in the top field and click + to add it to the list.
  • To remove a resource from a list, find the resource from the list, and click the x icon on the resource row.

When creating exclusion lists, excludes take precedence over includes.

Excluding Paths by Regex for AWS S3 Buckets

Data Access Security uses a path name in the following structure:

Path Structure: Root/[OU]/[Account]/[Bucket Path]/[Folder]/[Filename]

Component structure: Root/[OU]/[OU2]/Account name/s3.[region].[bucket name]/[folder]/[file name]

Example: Root/Example-OU/Example-Account(#420269343516)/s3.north-east-17.HR3InputDataBucket/Prospects/CVs/SueSmithPM.Docx

Root

All paths start with "Root/"

OU

The organizational unit. This could be empty, or include a sting of one or more OUs, according to the BR hierarchical structure.

Account

Since account names are not unique under an organization, this string includes the account ID and the account name

[Account name](#[Account ID])

Bucket Path

The bucket section of the path starts with "s3." and includes the region

s3.[region].[bucket]

To set filters of paths to exclude in the crawl process for an application using regex.

  • Open the edit screen of the required application.
  • Navigate to Admin > Applications.
  • Scroll through the list, or use the filter to find the application.
  • Click the edit icon on the line of the application.
  • Press Next until you reach the Crawler & Permissions Collection settings page. The actual entry fields vary according to the application type.

  • Click Exclude Paths by Regex to open the configuration panel.

  • Type in the paths to exclude by Regex, See regex examples in the section below. Since the system does not collect BRs that match this Regex, it also does not analyze them for permissions.

Crawler Regex Exclusion Examples

The following are examples of crawler Regex exclusions:

Exclude all drives which start with one or more user names:

  • Starting with John.Doe: ^Team Members\/John\.Doe@.*

  • Starting with John.Doe or Jane.Doe: ^Team Members\/(John|Jane)\.Doe@.*

Include ONLY drives which start with one or more user names:

  • Starting with John.Doe: ^(?!Team Members\/John\.Doe@.*).*

  • Starting with John.Doe or Jane.Doe: ^(?!Team Members\/(John|Jane)\.Doe@.*).*

Narrow down the selection:

  • Include only the C$ drive shares: \\server_name\*C$:(?!\\\\server_name\\*C*\$($|\\.*)).*
  • Include only one folder under a share: \\server\share\*folderA*: ^(?!\\\\server_name\\share\$($|\\*folderA*$|\\*folderA*\\.*)).*
  • Include all administrative shares: ^(?!\\\\server_name\\[a-zA-Z]\$($|)).*

Notes

  • To use a backslash or $ sign, add a backslash before it as an escape character.

  • To add a condition in a single command, use a pipe character |.

Excluding Top Level Resources

Use the top level exclusion screen to select top level roots to exclude from the crawl. This setting is done per application.

To exclude top level resources from the crawl process

  1. Open the application screen Admin > Applications
  2. Find the application to configure and click the drop down menu on the application line. Select Exclude Top Level Resources to open the configuration panel.
  3. Run Task The Run Task button triggers a task that runs a short detection scan to detect the current top level resources. Before running the task for the first time, the message above this button is: "Note: Run task to detect the top-level resources" If the top level resource list has changed in the application while you are on this screen, press this button to retrieve the updated structure. Once triggered, you can see the task status in Settings > Task Management > Tasks This will only work if the user has access to the task page When the task has completed, select Refresh to update the page with the list of top level resources.
  4. Click the top level resource list, and select top level resources to exclude.
  5. Select Save to save the change.
  6. To refresh the list of top level resources, run the task again. Running the task will not clear the list of top level resources to exclude.