Scope
The scope determines what applications and resources a File Access Manager user can access and run reports on within the application.
Assigning Scope to Users
Scope is assigned to users in the administrative client by assigning a data role to them. Data roles can be defined in terms of applications that the user has access to. See details below.
User scope can be assigned to users in the web client. Data scope can be defined in terms of folders within an application that the user can access. See User Scope - Web Client scope.
Data Role - Administrative Client Scope
A data role lists the applications that a user can access in the File Access Manager Administrative Client.
Managing Data Roles
Users can be associated with one or more data roles, and are able to access all the applications in every data role with which that user is associated.
User access to data roles - The user’s ability to query applications, such as Activities or Permissions, visible in the resource tree.
Listing and Deleting Data Roles
To list data roles, perform the following steps:
-
In the administrative client go to Applications > Configuration > Manage IdentityIQ FAM Permissions > Data Roles.
-
The Data Roles window displays.
-
To delete a data role, select a data role and select Delete.
Creating and Modifying Data Roles
To create or modify data roles, perform the following steps:
-
In Administrative Client, go to Applications > Configuration > Manage IdentityIQ FAM Permissions > Data Roles. A Data Roles window displays.
-
Select New to create a new data role.
-
Select Edit to edit an existing data role.
-
Fill in a name and description for the data role.
-
Create a list of applications that this data role is allowed to access by selecting applications from the Available Applications column and moving them to the Data Role Applications column.
User Scope - Web Client Scope
Assigning User Scope to Users
There are several ways of assigning scope to users in the File Access Manager.
-
Administrators are assigned the Full Scope resource allocation (see below) automatically when they are assigned the Administrator capability.
-
Bulk assignment of user scope, using Import User Scope (see below).
The Full Scope Resource Allocation
-
The Full Scope resource allocation is an administrator-level allocation, to allow broad view and general system-wide statistics of the business resources.
-
Full Scope is added automatically to Administrator users. It can also be added through the user scope import Settings > Capabilities > Import User Scope.
-
You cannot remove the Full Scope capability from users who are Administrators, even by using Import User Scope. To create an administrator that has less access than Full Scope, clone the Administrator capability and upload the required coverage using User Scope Import.
What It Allows
Access to all resources in the dashboard and reports.
What It Does Not Allow
-
Users with Full Scope who are assigned with the Data Owner capability are not data owners of the entire scope, but only of any user scope that is allocated to them specifically. This includes approving data owner requests, approving access requests, etc. See Business Resource Owners.
-
Drilling down from statistics in the Data Owner Dashboard allows you to view only the resources to which this user has direct allocation. This means that in some cases, drilling down from a chart on the dashboard will display detailed charts of the partial scope that do not add up to the totals that were on the dashboard charts showing the full scope.
If an admin user has no directly allocated resources, the user receives an error message and an empty chart.
Importing User Scope
Users can be assigned resources in bulk, using a one time or scheduled import process.
The list of users and scopes assigned to them are input when configuring the Data Source within the website under Admin > Data Sources. The data source could be any of the supported data sources, such as an Excel file or database table. The upload process setup includes mapping the source data fields to the File Access Manager user scope fields.
Note
The Import User Scope functionality supports changes and adjustments to existing scopes. New imports do not override existing scopes and manually-set data owners, but will retain or adjust the existing scope assignments based on the specified action. There is an Action field that displays one of four possible values:
- Add - adds the resource to the User's Scope. This action can either have a full scope or a resource. If a resources is specified, the full scope is ignored. If a resource is empty, the full scope field must be true.
- Remove - removes the resource from the User’s Scope. This action can either have a full scope or a resource. If a resources is already specified, the full scope is ignored. If a resource is empty, the full scope field must be true.
- Clear - removes all resources from the user’s scope. This command does not need any data specified in the Application or Resource Full Path columns. This operation removes all resources from the users scope. This action can only have Full Scope set to True.
- Data Owner - functions in the same way as Add, but also adds the Data Owner capability to the user if they do not have it already. If the user already has the Data Owner capability, the Data Owner action simply functions as Add. This action cannot have a full scope. It must have a resource. Full scope is ignored and if the resource is empty, the line will be ignored as well.
To import user scope:
In the File Access Manager website, create a data source that contains the users and scope fields. See Creating Data Sources for a description on creating data sources.
Mapping the input fields is done at a later stage. The names of the fields and any additional fields in the input data source won’t affect the input process.
When setting the Full Scope parameter to True, the record cannot contain other parts of resources, such as Application Name and Full Path, since it already contains all paths and applications.
The input source should contain the following information:
Input field | Description |
---|---|
Application Name | Name of the application as it appears in File Access Manager |
Full Path | Full path of the resource |
Full Scope | True/False toggle for granting the user full scope access to all resources in File Access Manager |
User Domain, User Name | Domain and user name of the user receiving access |
Action | Actions related to resources, including Add, Remove, Clear, and Data Owner. |
Setting up the import process:
- In the File Access Manager website Go to Settings > Capabilities > Import User Scope to open the Import User Scope page.
!!! note There is an Excel template file within the website that is there to serve as a basis for the data source. There are explanations about the different actions within the template file. Select the provided link within the Import User Scope display for this preferred method.
- Select the data source from the dropdown list. This list contains data sources created in the administrative client.
- Map the fields in your file to the File Access Manager fields listed on the panel.
- Set the frequency of running the upload process.
- Set the recurrence parameters to Once or Periodically.
- Select Save or Cancel to exit.
Adding or removing of the full scope will take affect the next time the user logs in. To force a user login, close the application and wait ten minutes for the system to time out and log the user out.