Capabilities (Web Client)

Capabilities in the File Access Manager website determine what pages and actions the users can access in File Access Manager. Capabilities are groups of rights, where a right grants access to an action or a particular page. By assigning a capability to a user, the user is given these rights.

File Access Manager comes with several capabilities configured out of the box and more can be configured with SailPoint professional services to meet your needs.

Basic Rights Granted to All Users

There are a set of basic rights granted to all users. These rights cannot be revoked.

Make access requests. This right can be turned off in the settings.
View access reports that have been generated for them.
Respond to certifications, access request approvals, and manual fulfillment tasks assigned to them.

System Capabilities

The capabilities below are shipped with the default configuration of File Access Manager. You can create custom capabilities to fit your needs.

Warning

The system capabilities described below should not be removed or modified.

Auditor

The auditor capability is designed for users who perform internal audits and assist in external audits of user access information within the organization.

Rights

See and manage all reports.
See and run the forensic screens.
Delete report templates.

Scope

The Auditor capability is assigned Full Scope by default. This allows users in this capability to see and run reports on all resources. It does not allow the auditor users actions that require specific resources assigned to them.

This capability does not have permission to delete query results from the Activity Forensics screen.

Data Owner

This is a capability automatically associated with anyone assigned as an owner of any business resource. Users who are assigned this role are the data owners of all the resources in their scope.

Rights

See and manage user access information around business resources in their scope

Compliance Manager

Rights

Configure and manage certification templates and campaigns.
Configure data classification policies, rules, and policy objects.
View data classification forensics - this does not include Activities.
See and run most reports. This role does not have the right Report Template Administrator. See Special Rights.

Scope

The Compliance Manager capability is assigned Full Scope by default. This allows users in this capability to see and run reports on all resources. It does not allow the compliance manager users actions that require specific resources assigned to them.

Administrator

The administrator has all the rights in File Access Manager enabled, except for Reviewer. See Special Rights.

Rights

View the administrator dashboard and statistics.
See and manage user access information for all business resources.
Configure and run data owner election processes.
Configure settings for the File Access Manager website.
Access rights granted to anyone with Administrator capability in the File Access Manager website or File Access Manager Administrative Client.
The Report Templates Administrator right. See Special Rights.

Scope

The Administrator capability is assigned Full Scope by default. This allows users in this capability to see and run reports on all resources. It does not allow the administrator users actions that require specific resources assigned to them.

The table below shows a high-level description of default capabilities, which are set with rights to access the indicated screens.

Screens	Administrator Capability	Compliance Manager Capability	Data Owner Capability	Auditor Capability
Dashboard	✓		✓¹
Resource	✓		✓
My Tasks	✓	✓	✓	✓
Reports	✓	✓	✓	✓
Compliance	✓	✓²
Forensics	✓	✓³	✓	✓
Goals	✓
Settings	✓	✓⁴

^{1 Data Owners see a limited version of the dashboards that is relevant to the capability.}

^{2 The Compliance Manager cannot access the Alert Rules under the Compliance menu.}

^{3 Compliance Managers have access to the Data Classification Forensics page only.}

^{4 Compliance Manager access to the Settings screen is limited to the Access Certification Message Template.}

For a full description of the rights set per capability, see the web_permission table in the File Access Manager database.

The capabilities in your system can be modified and new capabilities added by the administrators and implementation teams, so your implementation may differ from the table above.

Special Rights

Report Templates Administrator

The right Reports > Report Templates > Report Templates Administrator is an administrator-level right. A user with this right can do the following:

View all report templates
Delete report templates
Share report templates

Reviewer

The reviewer is a central part of the review process involving Access Certification and Access Requests. The Reviewer right enables the user to approve access requests for resources that are in their scope, and the responsibility to review and approve the access certification process. This right is not included by default in the Administrator capability.

The Data Owner and Reviewer are not necessarily the same entity. The Data Owner capability has the Reviewer right by default, but you could define a separate capability with the Reviewer right that is not a Data Owner.

Viewing Capabilities

To view the existing capabilities, go to Settings > Capabilities > Current Capabilities.

A list of all the capabilities shows users and user groups associated with each capability. These include the system's out of the box capabilities and any custom capabilities created by the users.

To filter a single capability, select a capability from the dropdown options.
Filter a user or user group by typing a letter - not necessarily the first letter - in the name of a prospective user or group. The output is filtered as you type, removing users from the lists of each capability.

Additional custom permission changes can be added with the assistance of SailPoint Professional Services or partners.

Adding Capabilities to a User or Group (Web Client)

To add a user account to a capabilities list:

Go to Settings > Capabilities > Capabilities panel.
Select the type of account: Group or User account.
Search for a user or group in the Account search box.
Select a capability from Capability dropdown box.
Select Add to add the selected user to the selected capability or select Clear to clear your choices.
Select Add to add the user-capability selection to the capabilities list.

When you have added users to the list successfully, the system displays “Users added to the list” in green for five seconds.

Removing a User Account from a Capabilities List (Web Client)

Go to Settings > Capabilities > Capabilities panel.
Find the account to remove and select the X icon in the Actions column.
Confirm or cancel the deletion.

When you have removed users from the list successfully, the system displays “Users removed from the list” in blue for five seconds.

Adding a Right to a User (Web Client)

Adding a right to users is similar in concept to adding permissions to users in the File Access Manager Administrative Client.

Note

Capability management activities such as listing rights in each capability, adding rights to capabilities, and creating new capabilities are performed in the database. These permission changes can be added with the assistance of SailPoint Professional Services or Partners.

Identify the right according to the path within the application to the screen, panel, button and/or functionality to which we want to define the right.
Assign the user a capability that has this right, using one of the following methods:

Method	Database	Web Client
1	Find a capability that has this right.	Assign the capability to the user. master
1 results	This adds all the other rights in this capability to the user as well. master or
2	Add this right to an existing capability.	Add this capability to the user, if necessary.
2 results	The added permission is granted to all users that have this capability. master or
3	Create a new capability that includes this right.	Add it to the user. master