Skip to content

Enabling Access Fulfillment for an Application

Access fulfillment is enabled per application in the application setting screen for applications that support fulfillment. Refer to the compatibility table in Compass for the full list.

To enable Access Fulfillment for an application:

  1. Go to Admin > Applications to open the Configuration page of the required application.

  2. Scroll through the list, or use the filter to find the application.

  3. Select the edit icon Profile on the line of the application.

  4. Select Next until you reach the Access Fulfillment settings page.

    The setting pages and entry fields vary according to the application type.

  5. For non-normalized resources, you can select Enable Access Fulfillment for Revoking Explicit Permissions. Refer to Access Fulfillment for Removal of Explicit Permissions.

  6. Select Enable Access Fulfillment for Normalized Groups.

    • Identity Collector - Fulfillment requires an identity collector in order to run. If you did not select an identity collector in the General Details configuration page, you can select one from the drop down list now.

      If there is no identity collector defined for this application, or if you want to use a different identity collector than the ones in the dropdown list, you can create a new identity collector in the Administrative Client at Applications > Configuration > Permissions Management > Identity Collectors.

      Refer to Create/Edit an Active Directory Identity Collector for more details on creating an identity collector.

    • Managed Group OU (DN) - The organizational unit in which the managed permission groups will be created. Make sure that the chosen identity collector’s user has permissions to create groups under this location (e.g. OU=FileAccessManagerManaged, DC=SailPoint, DC=COM)

      • OU - Organizational Unit

      • DN - Distinguished Name.

    • How to Handle ‘List Folder Contents’ Permissions - Create and manage a dedicated permissions group for it. This is the default value.

      • Revoke these permissions

      • Not relevant for SharePoint

    • How to Handle Inexact Permissions Matches - During the normalization process, the application has to decide what to do with permissions that do not match the normalized permissions:

      • Fail the normalization process

      • Elevate to the nearest permission match

      • Revoke the permission

  7. Open the Advanced Settings panel for additional settings:

    • Group Cache Sync Interval(sec) - This setting will add a pause to the process of setting normalize permissions on the resource. This will allow the endpoint's local AD groups cache to sync the newly created managed groups.

      • The default Is 0 - signifying the process will not pause by default.

    • Use Template Permission Group - Template groups are created per application and added as a template to every managed resource. These groups are not managed by File Access Manager, and are usually used to ensure that users who need application-wide access such as backup or archiving users have access.

      • Select for each permission group whether File Access Manager should create a group or whether to use an existing group, for the following groups:

        • List Folder Contents

        • Read & Execute

        • Modify

        • Full Control

      • If you select Use an Existing Group, select the required group to use from the dropdown list.

      • Once an application is enabled for access fulfillment, you can set specific resources to be normalized using the Manage Normalized Resources page.