Managing Data Access Security Users
All users of the business resources you want to monitor are potential Data Access Security users.
You need administrators configuring and monitoring the system, while data owners verify users who require access to the resources in their control have the appropriate access.
User Access Terminology
Data Access Security users have two main characteristics that determine their abilities in the system:
Permissions - Determines what a user has rights to. Mainly in terms of screens the user can access and actions the user can perform on each screen.
Naming convention – In most cases, the name is the path to the screen or button being permitted.
Permission name – User given name of the permission
Right name – The path in Data Access History.
Scope - Determines which application, and which business resources within each application, a user has a right to perform these actions on. Scope defines business resources that the user is allowed to see on the screens, run reports on, or any other activity enabled by the user’s permissions.
For example, an Auditor has the right to run all reports, but only on the data limited by the scope assigned to them.
The following terms are used in the user interface:
- Permission - Defines a page or activity on a screen in the application the user can access.
- Capability - An aggregation of permissions.
- Users - Assigned to one or more capabilities.
The user is an object that represents an account associated with a permission.
Standard user attributes include:
- User Type - User, orphan, or local.
- User Disabled / Enabled - Whether the user account is enabled or disabled in the managed application or the identity store.
- User Domain - The security domain in the identity store in which the user is defined. For example, you can define the identity store as an Active Directory forest, in which you define the User in one of the domains of the forest.
User data is commonly part of an identity collector connected to a relevant identity store. For example, when an identity store is set as an organization's Active Directory, extended attributes may be Department and Manager.
A capability is a set of rights. Assigning a capability to a user grants them these rights.
A right allows a user to perform an action in Data Access Security. Some actions are included on the navigation menu, where options beyond a users's rights are either unavailable or grayed out.
Since a user can be associated with multiple capabilities, the user’s rights are the total of all the user’s rights in all the user’s capabilities.
Role-Based Access Control
Capabilities can be created and configured to fit your needs.
Except as stated above, capabilities apply only to the interface in which they are assigned.
After logging into the Data Access Security, an Administrator can assign different capabilities to users. This is done by completing the steps below.
- Log in as an administrator user.
- Assign user access.
- Manage capabilities by assigning functionality and screen access.
- Manage user scope by defining the applications and directories a user is allowed to access.
Data Access Security security objects include:
- Data Role
User Capabilities in Data Access Security
Capabilities in Data Access Security determine what pages and actions the users can access. Capabilities are groups of rights, where a right grants access to an action or a particular page. By assigning a capability to a user, the user is given these rights.
Data Access Security comes with several capabilities configured out of the box (see System Capabilities), and more can be configured together with SailPoint professional services to meet your needs.
For full descriptions of the various types of uses, see User Level Descriptions.
Report Templates Administrator - The right Reports > Report Templates > Report Templates Administrator is an administrator-level right. A user with this right can do the following:
- View all report templates
- Delete report templates
- Share report templates
To view the existing capabilities, navigate to Settings > Capabilities > Current Capabilities.
A list of all the capabilities shows users and user groups associated with each capability. These include the system's out of the box capabilities and any custom capabilities created by the users.
- To filter a single capability, select a capability from the dropdown options.
- Filter a user or user group by typing a letter – not necessarily the first letter – in the name of a prospective user or group. The output is filtered as you type, removing users from the lists of each capability.
Additional custom permission changes can be added with the assistance of SailPoint Professional Services or partners.
Adding or Deleting Capabilities to a User or Group
Complete the following to add a user account to a capabilities list:
- Navigate to Settings > Capabilities > Capabilities panel.
- Select the type of account: Group or User account.
- Search for a user or group in the Account search box.
- Select a capability from Capability dropdown box.
- Select Add to add the selected user to the selected capability or select Clear to clear your choices.
- Select Add to add the user-capability selection to the capabilities list.
Complete the following to remove a user account from a capabilities list:
- Navigate to Settings > Capabilities > Capabilities panel.
- Find the account to remove and select the X icon in the Actions column.
- Confirm or cancel the deletion.
When you have added users to the list successfully, the system displays “Users added to the list” in green for five seconds. When you have removed users from the list successfully, the system displays “Users removed from the list” in blue for five seconds.
Adding a Right to a User
Adding a right to users is similar in concept to adding permissions.
Capability management activities such as listing rights in each capability, adding rights to capabilities, and creating new capabilities are performed in the database. These permission changes can be added with the assistance of SailPoint Professional Services or Partners.
- Identify the right according to the path within the application to the screen, panel, button and/or functionality to which you want to define the right.
- Assign the user a capability that has this right, using one of the following methods. The steps are divided into activities done in the database and those done in Data Access Security:
Method 1 - In the database, find a capability that has the right. In Data Access Security, assign the capability to the user. The results of both will add all of the other rights in this capability to the user.
Method 2 - In the database, add this right to an existing capability. In Data Access Security, add this capability to the user. The results of both will be granted permissions to all users that have the capability.