Skip to content

Normalization Process

The normalization process reconfigures permissions into dedicated groups. Once a resource is normalized, we can automatically fulfill access certification campaigns and requests.

Normalized resources are enabled and relevant only for applications that support fulfillment.

Every resource managed by File Access Manager (except for AD groups) must go through a normalization process.

  • The system creates and sets managed permission groups with the correct permissions on the resource.
  • The system distributes Users with permissions on a resource among the managed permission groups, based on their current access levels. (It is possible to customize the action applicable to an inexact permission match).
  • The resource inheritance of permissions is set to false.

After successful normalization, it is possible to change resource permissions by:

Access Request

Whether self-issued, or as the result of an access certification campaign (Access Revoked).

An approved What-If simulation

One that a logged-in user has been requested to fulfill.

Managing Normalized Resources

Normalized resources are enabled and relevant in the following conditions:

  1. Applications that support fulfillment
  2. Enabling Access Fulfillment for an Application

To access the Manage Normalized Resources page:

  1. Go to Admin > Applications.
  2. Locate the required application to which you want to add resources.

  3. Select the dropdown list on the application row, and select Manage Normalized Resources.

    This will open the Manage Normalized Resources page.

  4. The Normalized Resources page lists resources in this application that are normalized, or pending normalization.

    Name

    Name of the managed resource.

    Full Path

    Path name

    Status

    Provides the status of the uploaded resources.

    Actions

    The Actions column provides the Manage gear which gives the option to manage the normalization.

    Search by name or full path

    User can search by the resource name or the full path.

    Note

    The normalization process is still done within the Admin Client. There is another option to set a resource for a normalization using the Manage Resources screen.

    Global Options menu

    • Bulk Set

      Allows the user to upload a list of resources to be normalized and become managed by File Access Manager. These resources will then be queued and the Normalization engine in the Permission Collection Engine will pick them up one by one, normalize their permissions and mark them as managed.

      See Adding or Removing Resources in Bulk

    • Bulk Remove

      Removes the managed state from a list of resources. They are no longer considered normalized.

      See Adding or Removing Resources in Bulk

    • Generate Report

Editing Normalized Resources

Normalized resources are enabled and relevant only for applications that support fulfillment.

In the Manage Normalized Resources page you can change the following properties for resources:

  • Disable normalization for this resource
  • Determine the method of handling inexact permissions matches during a normalization process

Editing the properties of Normalized Resources:

  1. Go to Admin > Applications.
  2. Locate the required application to which you want to add resources.

  3. Select the dropdown menu on the application row, and select Manage Normalized Resources.

    This will open the Manage Normalized Resources page

  4. Locate the resource to edit, and press the Actions menu on the resource row.

This will open the Enable Normalization for this Resource panel.

Disabling normalization for this resource

Uncheck Enable Normalization for this Resource.

This will remove normalization from the source, and remove the resource from the Manage Normalized Resources page.

To enable normalization for this resource once it has been removed, you can use one of the following methods:

  • Add it to a CSV file, and upload it using Bulk Set Normalized Resources. See Adding or Removing Resources in Bulk
  • Set the resource to Enable Normalization for this Resource in the Manage Resources page.

Setting the methods of handling inexact permissions matches during a normalization process

As a part of the normalization process for a resource to be managed, File Access Manager attempts to match every existing permission to one of the managed permissions types. This attribute decides what to do in the case that a granted permission is not an exact match to one of the managed ones

Select one of the following methods of handling inexact permissions matches during a normalization process:

  • Fail the normalization process - this is the default behavior
  • Elevate to the nearest permission match
  • Revoke the permission

Adding or Removing Resources in Bulk

Normalized resources are enabled and relevant only for applications that support fulfillment.

You can add or remove resources to normalize one at a time, or provide a csv file with a list of resources to normalize or remove from the normalization process.

  1. Create a list of resources with a header, and save it as a csv file.

    Format:

    Resource Full Path

    \\fileServer\share

    \\fileServer\share1

    Important

    The .csv file should be in UTF-8 encoding.

  2. Go to Admin > Applications.

  3. Locate the required application to which you want to add resources.

  4. Select the dropdown list on the application row, and select Manage Normalized Resources.

    This will open the Manage Normalized Resources page.

  5. On the Global Options menu, select Bulk Set or Bulk Remove.

    This will open the Bulk Set / Remove Resources to Normalize page.

  6. Select Chose a file to select the CSV file from your computer, or drag it onto the input panel.

  7. Select Upload.

    Note

    The CSV file for the Administrative Client should be in UTF-8 encoding.

A popup will open listing errors in the input file.

The files added for normalization will be listed in the normalized resources page as "Pending Normalization" until the normalization task is completed successfully.

Normalization and Access Fulfillment

The following subsections discuss various aspects of normalization and management in Access Fulfillment activities.

Normalization Process Concepts

Normalization is the process by which File Access Manager controls business resource permissions. An unmanaged business resource is made into a “managed” one by assigning a business resource with dedicated Domain Local AD Groups, to manage the access rights to that resource, using the following permission types:

  • [Group] - Full Control
  • [Group] - Modify
  • [Group] - Read and Execute
  • [Group] - List Folder Contents

The Local Users and Special groups listed below are excluded from the normalization process and will maintain their permissions on the normalized business resource:

  • Local Users
  • Domain Users (a domain group)
  • Local Groups
    • Everyone (includes Domain, Local, and Guest)
    • Authenticated Users (includes Domain and Local)

Normalization Process Steps

The Normalization Process consists of the following steps:

  • Use the identity collection and permissions analysis capabilities to gather (read) information about the current identities access rights to the resource being normalized.
  • Expand groups and nested groups.
  • Calculate effective permissions.
  • Create managed groups and associate users with managed groups.
  • Assign BR permissions to managed groups.

Normalization Process Examples

Example 1:

The Finance Group within C:\Finance has Full Control permissions, and User A has requested access to read permissions on C:\Finance.

An Administrator can grant User A the requested access either by:

  • Granting User A Read permissions or
  • Joining User A to the Finance Group

Analysis:

There are disadvantages to both methods, neither of which are good business practices. If User A has Read rights, to a BR, those rights will not be manageable, and as such, will not be eligible for the Normalization process. On the other hand, joining User A to the Finance Group will automatically give User A all the permissions available to the members of the Finance Group. In both scenarios, User A will have rights over which File Access Manager will not have complete control.

Example 2:

The Finance Group includes User A, User B, and User C, each of whom has Full Control permissions.

The C-Level Executive Group includes User A, User D, and User E, each of whom has Read permissions.

Analysis:

User A has both Full Control permissions in the Finance Group and Read permissions in the C-Level Executive Group, since User A (and the other users) retains the same permissions before and after the Normalization process. The system can now manage Full Control Permissions in the Finance Group and Read permissions in the C-Level Executive Group for other users requesting access to those types of permissions in each group.

Normalization Process Challenges

Expand Groups and Nested Groups

The Identity Application represents either a single domain or multiple domains that are in a trust relationship. If these domains are not synchronized through the Identity Collector, it will not be possible to expand nested groups, and the Normalization process will fail.

Calculate Effective Permissions

The calculation of effective permissions may become complicated when users are members of more than one group with permissions allowed in one group, but denied in another group.

Scenario 1:

Group A has Full Control permissions allowed to a BR and Group B has Modify permissions denied to that BR, and assume that User A belongs to both Group A and Group B.

Due to the permissions conflict created by User A’s membership in both Group A and Group B, will have Full Control permissions except for Modify permissions, which leaves User A with only Read and Execute permissions.

Scenario 2:

User B requests access to Read and Execute permissions and to Delete permissions. Remember that Modify permissions include Read and Execute permissions. An administrator can either fail the normalization process, elevate to the nearest permission match, or revoke the permission.

The table below summarizes the results of each action involving the calculation of effective permissions.

Action Result
Fail the normalization process User B has no permissions.
Elevate to the nearest permission match User B has Modify permissions (Read and Execute, Write, and Delete).
Revoke the permission User B has only Read and Execute permissions.

Normalization Process Results

User C submits an access request to have Read and Execute permissions to the Finance Group. All relevant reviewers reviewed and approved User C’s request. If Read and Execute permissions to the Finance Group are a managed business resource, the system automatically executes access fulfillment, and User C will belong to the Finance - Read and Execute Group.

Managed Resource

File Access Manager manages the access permissions of managed resources.

Managed Permissions Group

This Active Directory (Domain Local) group includes users granted a specific permission type on a managed resource. It is possible to create Managed Permission Groups per managed permission type or per managed resource.