Capabilities
This connector enables you to use File Access Manager to access and analyze data stored in Box and do the following:
- Analyze the structure of your stored data.
- Monitor user activity in the resources.
- Classify the data being stored.
- Verify user permissions on the resources, and compare them against requirements.
- Manage access fulfillment - automated granting and revoking of access - according to rules set in File Access Manager.
- Identity collector – collect IAM users, groups and roles and the connections between them.
See the File Access Manager documentation for a full description.
Box Connector Installation Flow Overview
To install the Box connector:
- Configure all the prerequisites.
- Add a new Box application in the File Access Manager website.
- Install the relevant services:
- Activity Monitor
Note
Box currently does not support the Cloud-Ready architecture for permissions collection and data classification. Permission collection and data classification tasks will run on the central engine services associated with the application, regardless of whether these services have one or more collectors associated with the central engine.
Installation Locations
Activity Monitor – installed remotely on a File Access Manager monitor application server, which can be a server joined to any domain, including a domain different from the monitored domain.
Box Connector Operation Principles
-
File Access Manager Connector for Box uses the Box Content API for event monitoring, identity, and permissions collection.
-
The Box Content API uses the OAuth 2.0 authorization protocol to authenticate and authorize API requests.
-
SailPoint SecurityIQ for Box Connector is a registered Box App, which requires a short authorization process to use the Box API during the definition of the Box application.
-
After the initial authorization process, File Access Manager handles the OAuth token management automatically and refreshes the token if needed.
Permissions Collection Operation Principles
-
File Access Manager Box Permissions Collection task uses Box Content API to retrieve information from the Box application.
-
File Access Manager creates a Box Identity Collector automatically at the end of the “Add New Application” wizard, which collects the Users and Groups from Box.
Note
Users will only display in the Box Resource Tree if they are an owner of a resource.
-
By default, permissions are analyzed on the folder level, but can also be analyzed on the file level. If the latter is the case, the system will only display uniquely managed files in the Business Resource Tree.
In contrast to other application types, to improve performance, Box permissions are also fetched from the target application during the Crawl task.
The permissions will only display in the client after the permission collection task has run, since they must be analyzed. If the crawler was unable to fetch the permissions, the permission collection task will fetch them.