Proprietary Application Permissions Collection (Homegrown Apps)
Proprietary applications can be commercial off-the-shelf applications or applications that an organization has developed in-house.
The Collector Synchronizer Service is the software component responsible for analyzing the permissions of a homegrown application.
To model, analyze, and collect the permissions for a homegrown application, File Access Manager must have information on the following data types.
Note
This information may include from where to bring this data type, its unique identifier, and other data type fields to query later:
- User - the list of all the Application’s Users
- Group - the list of all the Application’s Groups, and their parent-child nesting (if any)
- User-Group Relationships - which Group contain which Users (or which users are members in which group)
- Permission Types - all the possible permission types for the application (for example, Read, Write, Full Control)
- Business Resources - the list of all the Business Resources of the application, and the hierarchy parent-child relationships (if any) of the business resources
- Group-Permission Type-Business Resource Relationships - if the application allows granting permissions through Groups, File Access Manager must know which group provides which permission type on which business resource (for example, the Technical Write Group grants Full Control Permission on the Documents folder).
- User-Permission Type-Business Resource Relationships - if the application allows granting direct user permissions to business resources, File Access Manager needs to know which users are assigned which permission type on which business resource (for example, John has direct Full Control permission on the Documents folder).
The first step in defining a Permissions Collection for a homegrown application involves determining from where to bring the above information. First, define one or more Data Sources for each data type (using a simplified, single data source for all the data types above, as shown in the example below). The data source tables will be used to map various entities when the Permissions Collection process is defined later.
For example, it is possible to easily map a homegrown application that uses LDAP as the identity store and a RDBS database for the rest of the information by:
- Defining one or more data sources to bring the information on the Users, Groups, and User-Group relationships, and
- Defining another data source to collect the information on the business resources, permission types, and the user/group-permission type-business resource relationships
The table below lists sample permissions data in a single Data Source table.
User Name | Group Name | Permissions Type | Business Resource |
---|---|---|---|
Jonathan | Technical Writer | Full Control | Docs\Guides |
John | Technical Writer | Full Control | Docs\Guides |
Matt | Engineer | Full Control | R&D |
Avi | QA | Read | R&D |
The table below lists the distinct columns for each type of Data Source mapping. As the table shows, there are four distinct users, three distinct groups, two distinct Permission types, and two distinct business resources.
User | Group | Permission Type | Business Resource |
---|---|---|---|
Jonathan | Technical Writer | Full Control | Docs\Guides |
John | Engineer | Read | Docs\Guides |
Matt | QA | R&D | |
Avi |
The example above shows a homegrown application that does not have direct user permissions, or nested groups, but does have its hierarchical business resources delimited by the ‘\’ char. The following example examines the relationships between data types.
Group | Members |
---|---|
Technical Writer | Jonathan, John |
Engineer | Matt |
QA | Avi |
Group | Permission Type | Business Resource |
---|---|---|
Technical Writer | Full Control | Docs\Guides |
Technical Writer | Full Control | Docs\Guides |
Engineer | Read | R&D |
QA | Read | R&D |
Creating a Homegrown Application
To create a homegrown application (as part of the configuration of a permission collector):
-
In the administrative client, go to Application > New > Application.
The New Application Wizard displays.
-
Select Proprietary - Use this to add a Homegrown application.
-
Type the application type in the Application Type field.
Note: If there are no application types, select the Create New Application Type link.
-
Enter the following information:
-
Name - Name of the Application Type
-
Description - Description of the Application Type
-
Active Directory Authentication Yes/No - Whether or not to perform AD authentication and use an AD Identity Collector. The same application types will have the same permission types, and you will be defining permission types collector for each application type.
-
-
Select Save.
-
Select Next.
The General Details window displays. Enter the following information:
-
Name - Name of the Application Type
-
Description - Description of the Application Type
-
Container - Name of the selected Container
If there is no suitable container, select to create a new one.
- Identity Collector - Name of the identity collector to link to
If there is no suitable identity collector, select to create a new one.
-
-
Select Next.
The Permissions Collector Scheduling window displays.
-
To end the New Application Wizard without creating a schedule, select Finish.
-
To create a schedule, check the Create a Schedule check box, and enter the scheduling details:
-
Select Finish.
A successful completion notice displays.
-
Select Open Permissions Collection Wizard to configure Permissions Collection parameters.
-
Select Close to close the Wizard without configuring permissions collection parameters.
Configuring the Permissions Collector
-
To open the Permissions Collector Configuration wizard:
-
Select Open Permissions Collection Wizard at the end of the Homegrown Application definition, or by
-
Select a homegrown application to the context by double-selecting on it, and then selecting on Permissions Collection.
-
The Permissions Collection Wizard displays.
-
Select Next to open the Identities Collection window.
-
Use Existing Collector - Select a collector from the dropdown list
-
Edit the Selected Identity Collector - To edit an existing collector
-
Create a New Collector - To create a new collector
-
-
If you want to create a new collector, select This application uses Groups check box in the Groups Configuration section if applicable. Unchecking this box precludes the need to map the Group data or Group Permission types of Business Resource relations and you can skip those steps in the wizard.
If you chose to create a new collector, the page Identity Collector: Users Collection
(1 of 3) displays.
Under Main Data Source, the Data Source displays automatically.
-
Under Mandatory Fields, select a User Name from the dropdown menu.
-
Under Optional Fixed Fields, check the check box next to each relevant optional fixed field, and select the field from the corresponding dropdown menu.
-
Select Next to open the User Collection (2 of 3) screen .
-
Under Fields Mapping, select a field from the Dictionary Field dropdown menu (or if none exists, select Create a new Field next to Fields Mapping).
-
Select a field from the Mapped Field dropdown menu.
-
Select Next.
The Identity Collector: Users Collection (3 of 3) displays.
-
If relevant, under Users Tree, check the Should the users tree be grouped box. This will affect how the users will look in the Users Tree under the Advanced Forensics Control.
-
If you checked that box, select a field grouping from the Field dropdown menu.
-
If relevant, under Unique User Accounts Mapping, check the Use a field to map between accounts of the same user box.
-
If you checked that box, select the field from the Field dropdown menu.
-
Select Next.
The Identity Collector: Groups Collection (1 of 2) window displays.
Under Main Data Source, the Data Source displays automatically.
-
Under Mandatory Fields, select a Group Name from the dropdown menu.
-
Under Optional Fixed Fields, check the check box next to each relevant optional fixed field, and select the field from the corresponding dropdown menu.
-
Select Next.
The Identity Collector: Groups Collection (2 of 2) displays.
-
Under Fields Mapping, select a field from the Dictionary Field dropdown menu (or if none exists, select Create a new Field next to Fields Mapping.
-
Select a field from the Mapped Field dropdown menu.
-
Select Next.
The Groups Hierarchy Support window displays.
-
Select This Identity Collector uses Groups Hierarchy if relevant.
-
Under Main Data Source, the Data Source displays automatically.
-
Under Mandatory Fields, select a Child Group Name and a Parent Group Name from their respective dropdown menus.
-
Under Mandatory Fields, select a Parent Group Name from the dropdown menu.
-
Under Optional Fixed Fields, check the check box next to each relevant optional fixed field, and select the field from the corresponding dropdown menu.
-
Select Next.
The Identity Collector: Users Membership in Groups (1 of 1) window displays.
-
Under Main Data Source, the Data Source displays automatically.
-
Under Mandatory Fields, select a Group Domain Name, Group Name, and Username from the respective dropdown menus.
-
Under Mandatory Fields, select a Parent Group Name from the dropdown menu.
-
Under Optional Fixed Fields, check the User Domain Name check box if relevant, and select the field from the corresponding dropdown menu.
-
Select Next.
The Business Resources Collection (General) window displays.
-
Select This application uses Business Resources if applicable.
Note
If you do not check this check box, File Access Manager creates a Business Resource (in the background) and associates it with all permissions.
-
Type the name in the Name field.
-
Select Next to open the Business Resources collection .