Managing File Access Manager Users
All the users of the business resources you want to monitor are potential File Access Manager users.
You need administrators configuring and monitoring the system, data owners of particular areas of the business resources, verifying that the users (employees, bots, and other entities) that require access to resources in their control have the appropriate access, and other users do not.
This chapter describes how to create, delete, manage, and authorize users in File Access Manager. It also discusses several processes available under the System tab.
-
User access terminology
-
Creating and deleting users
-
Managing roles
-
Capabilities
-
Scope
User Access Terminology
File Access Manager users have two main characteristics that determine their abilities in the system, permissions and scope.
Permissions
Permissions determine what a user has rights to, mainly in terms of screens the user can access, and actions the user can perform on each screen.
Naming convention - in most cases, the name is the path to the screen or button being permitted.
Permission name - the path in the File Access Manager Administrative Client.
Right name - the path in the File Access Manager website.
Scope
Determines which application, and which business resources within each application, a user has a right to perform these actions on. Scope defines business resources that the user is allowed to see on the screens, run reports on, or any other activity enabled by the user’s permissions.
For example, an Auditor has the right to run all reports, but only on the data limited by the scope assigned to them.
As stated previously, these access parameters are configured separately for the File Access Manager Administrative Client and the File Access Manager website. The terms in the table below are used in each user interface.
Application | Allowed screens and actions | Allowed resources |
---|---|---|
File Access Manager Administrative Client | Role and permissions within roles | Data Role |
File Access Manager website | Capability and rights within capabilities | User Scope |
Permission - Defines a page or activity on a screen in the application the user can access.
Capability - An aggregation of permissions.
Users - Assigned to one or more capabilities.
User
The user is an object that represents an account associated with a permission.
Standard user attributes include:
-
User type - User, orphan, or local.
-
User disabled / enabled - Whether the user account is enabled or disabled in the managed application or the identity store.
-
User domain - The security domain in the identity store in which the user is defined. For example, you can define the identity store as an Active Directory forest, in which you define the User in one of the domains of the forest.
User data is commonly part of an identity collector connected to a relevant identity store.
For example, when an identity store is set as an organization's Active Directory, extended attributes may be Department and Manager.
Capability
A capability is a set of rights. Assigning a capability to a user grants them these rights.
A right allows a user to perform an action in the File Access Manager Administrator Guide, such as pressing a button or opening a page, or in the File Access Manager website, such as using the navigation menu. If the user lacks a right, the relevant page or button is either unavailable or grayed out.
Since a user can be associated with multiple capabilities, the user’s rights are the total of all the user’s rights in all the user’s capabilities.
Important
Administrators in the administrative client are admins in the File Access Manager website as well. Administrators in File Access Manager website, on the other hand, are not automatically administrators in the administrative client.
Role-Based Access Control
Capabilities can be created and configured to fit your needs. This is best done during the File Access Manager installation phase.
Note
Except as stated above, capabilities apply only to the interface in which they are assigned.
At least one super user (a user with the capability of Administrator) should be defined as an Administrator, with access to both the File Access Manager Administrative Client and File Access Manager website systems. You must first define an Administrator with the assigned capability of Administrator in the File Access Manager Administrative Client before that Administrator can access File Access Manager website.
After logging into the File Access Manager website, an Administrator can assign different capabilities to users in the File Access Manager website. This is done by completing the steps below.
In the Administrative Client:
-
Log in as the system user.
-
Create administrator user or users.
-
Log in as an administrator user.
-
Change the system password.
-
Optionally, you may now go the File Access Manager Database and create custom capabilities.
In the File Access Manager website:
-
Log in as an administrator user.
-
Assign user access within the web client.
-
Manage capabilities by assigning functionality and screen access
-
Manage user scope by defining the applications and directories a user is allowed to access.
Return to the Administrative Client if you want to complete the optional step of assigning user access, including roles (assigning functionality) and data roles (defining valid applications), within the Administrative Client.
Security Objects
The File Access Manager security objects include:
-
User
-
Role
-
Data Role