Skip to content

Collecting Data Stored in an External Application

Terminology

  • Connector - The collection of features, components and capabilities that comprise File Access Manager support for an endpoint.

  • Collector - The “Agent” component or service in a Data Classification and or Permission Collection architecture.

  • Engine - The core service counterpart of this architecture.

  • Identity Collector - A logical component used to fetch identities from an identity store and holds the configuration, settings for that identity store, and the relations between these identities. The identity collector has no “physical” manifest. The actual work is done by the Collector Synchronizer.

Configuring Data Collection and Analysis

The list below describes the high level installation process required to collect and analyze data from an external application. Most of these should already be set up in your File Access Manager installation. See the server Installation guide for further details.

  • Install a Data Classification central engine

    • One or more central engines, installed using the server installer.

  • Install a Permission Collection central engine

    • One or more central engines, installed using the server installer.

  • Create an Application in File Access Manager

    • From the Business Website. The application is linked to central engines listed above.

  • Add an Activity Monitor

    • To collect activities for this application - run the Collector Installation Manager and add an application under Activity Monitoring.

Installation Locations

Activity Monitor – Installed remotely on a File Access Manager monitor application server, which can be a server joined to any domain, including a domain different from the monitored domain.

Box Connector Operation Principles

  • File Access Manager Connector for Box uses the Box Content API for event monitoring, identity, and permissions collection.
  • The Box Content API uses the OAuth 2.0 authorization protocol to authenticate and authorize API requests.
  • SailPoint SecurityIQ for Box Connector is a registered Box App, which requires a short authorization process to use the Box API during the definition of the Box application.
  • After the initial authorization process, File Access Manager handles the OAuth token management automatically and refreshes the token if needed.

Permissions Collection Operation Principles

  • File Access Manager Box Permissions Collection task uses Box Content API to retrieve information from the Box application.

  • File Access Manager creates a Box Identity Collector automatically at the end of the “Add New Application” wizard, which collects the Users and Groups from Box.

    Note

    Users will only display in the Box Resource Tree if they are an owner of a resource.

  • By default, permissions are analyzed on the folder level, but can also be analyzed on the file level. If the latter is the case, the system will only display uniquely managed files in the Business Resource Tree.

In contrast to other application types, to improve performance, Box permissions are also fetched from the target application during the Crawl task.

The permissions will only display in the client after the permission collection task has run, since they must be analyzed. If the crawler was unable to fetch the permissions, the permission collection task will fetch them.