Skip to content

Configuring Access Fulfillment

The following subsections describe the available actions associated with the Access Fulfillment configuration.

Configure Access Fulfillment Requests Commit Schedule

Commit schedule defines when to run pending normalization requests (which can be during non-working hours so it will not affect end users).

To define the Access Fulfillment Requests Schedule, perform the following steps:

  1. In the administrative client, go to Access Fulfillment > Configuration > Configure Access Fulfillment Requests Commit Schedules.

    The Access Fulfillment Requests Commit Schedules window displays.

  2. In the Resource Normalization Requests field, select the day and time for this schedule.

    Tip

    Schedule normalization of new managed resources for off-peak hours; otherwise, it might overload the system.

  3. In the Other Fulfillment Requests field, enter the time cycle in minutes for this schedule.

  4. Select Save.

Configure Access Fulfillment Groups Naming Convention

This activity configures the naming convention for groups created during the normalization process of a business resource

To configure Access Fulfillment Groups Naming Convention, perform the following steps:

  1. In the administrative client, go to Access Fulfillment > Configuration > Configure Access Fulfillment Groups Naming Convention.

    The Access Fulfillment Groups Naming Convention window displays.

  2. Enter the relevant data in the following fields:

    • Resource Group Name

    • Resource Group Description

    • Template Group Name

    • Template Group Description

    Notes

    • The name must contain the variables %Seq% and %PermType%.
    • Template group names cannot contain the variables %ResName% or %ResPath%.
  3. Select Save.

Removing Explicit Permissions from Business Resources

Explicit, or direct, permissions can be removed from a Business Resource (BR) without running the normalization process on it.

Note

This option is only available for BRs that support fulfillment. BRs that do not support fulfillment will not have a Fulfillment tab on the Application Wizard.

The following guidelines apply to the removal of explicit permissions:

  • The application should be configured to support the removal of explicit permissions.
  • Only explicit permissions (ACEs) can be removed. An ACE is a permission set directly on a resource, which can include any domain user/group, local user/group, special groups, such as Everyone/Authenticated Users, or orphan accounts. Permissions inherited from a parent resource, or granted to a specific user through a group, cannot be removed.
  • Explicit permissions of normalized groups, created and managed by File Access Manager, cannot be removed.
  • Only Active Directory users with the Administrator capability can remove explicit permissions.

Supported Applications

Access fulfillment for Removal of explicit Permissions is supported for the following CIFS applications: Windows, NetApps, EMC Celerra CIFS, Isilon, and HDS.

Enabling Removal of Explicit Permissions

To enable removal of explicit (direct) permissions on a specific application:

  1. Open the configuration screen of the required application.
  2. Go to Admin > Applications
  3. Scroll through the list, or use the filter to find the application.
  4. Select the Edit icon on the line of the application.
  5. Press Next until you reach the Access Fulfillment settings page.

    Note

    The setting pages and entry fields vary according to the application type.

  6. Select Enable Access Fulfillment for Revoking Explicit Permissions.

  7. Select Next or Done to leave the configuration page.

Removing Explicit Permissions

It is possible to remove explicit permissions in the Permissions Forensics page and in campaigns.

Removing Explicit Permissions in Campaigns

  1. Create and save a Permissions Query in the Forensics > Permissions screen.

  2. Go to Compliance > Access Certification:

  3. Create a campaign using the Permission Query.

  4. From Summary > Fulfillment Process, select Edit.

  5. Select Fulfill Permissions Revoke Requests.

  6. Select Save and Run the Campaign.

Access Requests for permission removal are the results of campaign reviewers’ reject decisions.

Once the review process for Access Requests is finished, the system removes all direct permissions on supported applications from the relevant BRs.

Monitoring the Progress of Permission Removal

Access Fulfillment is created for each direct permission marked for removal. To monitor progress, in the administrative client, go to Access Fulfillment and filter the Fulfillment Requests by Action “Remove Permission.”

Access Fulfillment Advanced Forensics Control (AFC) Filter

To operate the AFC for access fulfillment, perform the following steps:

  1. In the administrative client, go to Access Fulfillment.

  2. Select the relevant data from the following dropdown menus in the Fulfillment Request section:

    • Action (default is “All”)

    • Status (default is “Not Completed”)

    • Issued By

    • Issue Date (Preset or Period)

    • Request ID

  3. Double-click on the field next to each of the field types in the Fulfilled Permission section, and select the relevant data:

    • Application

    • Resource

    • Group

    • User

    • Permission

    Note

    The selections that open when you double-click on each field display the number of each item, and provide a dropdown menu, in which you can select the number of items to display for each field type.

  4. Select Close after you have selected each field selection.

  5. Select Apply to activate the filters or Select Clear Filter to clear the filter parameters.

Access Fulfillment Actions

Access Fulfillment actions involves the viewing of fulfillment requests and their statuses.

To specify Access Fulfillment Actions, perform the following steps:

  1. In the administrative client, go to Access Fulfillment > Actions.

  2. Double-click on a business resource to view a detailed log of the resource, and to determine (if possible) where an error has occurred.

    Note

    A configured user must have Full Control of a business resource to perform normalization on it.

  3. Select one of the following actions:

    • Retry - retry a failed Access Fulfillment Request.

    • Fulfill Now - ignore the regular schedule and fulfill now.

    • Cancel Fulfillment - cancel the fulfillment.

    • Rollback - undo changes caused by a successfully fulfilled access fulfillment request.

    • Rollback Now - ignore the regular schedule and rollback now.