Skip to content

Using Permission Forensics

The Permission Forensics screen allows administrators to monitor and analyze user and group permissions. On this screen, you can create queries to analyze the permissions of specific groups of users, save and share queries for selecting users and groups, generate reports, run permission scans, and revoke explicit permissions of users.

This page supports reports and campaigns.

This component answers questions such as:

  • Which users have access to what resources?
  • Which users have not used the permissions granted to them?
  • Which permissions were granted to each group?
  • Which groups are not being used?

The table displays the permissions according to the level of granularity selected in the filter.

When creating a filter, you can define the granularity of the report using the View by field, and mark stale permissions on the table according to the unused time selected.

Note

The query retrieves the first 100,000 results. Narrow the search to obtain a better fit.

Reports - See [Generating Reports]

Filters - See [Filters: Creating and Editing a Forensics Query]

Viewing Permission Forensics

The Permission Forensics table displays the permissions retrieved by the query run.

By default, the data displayed includes the following columns for each permission:

    - Resource: Business resource full path
    - Application
    - User: User name
    - User Display Name
    - Group Name
    - User Domain
    - Group Domain
    - User Entity Type
    - Group Entity Type
    - Permission: Permission type
    - Classification Category
    - Is Inherited
    - Inherits Permissions
    - ACL Type Allowed?
  1. To change the order of the columns, drag the column titles.
  2. To select columns to display, select the column chooser icon on the table header bar.
  3. Select the columns to display from the dropdown list.
  4. Click Show All / Show Less to display a full list of columns or only the default columns in the column chooser. This does not change the selection of columns to display in the table.
  5. Use the search field to narrow down the list of columns in the column chooser.
  6. Click Reset Columns to reset to the default selection and order of the columns in the table.

The default view is the Users and Groups view.

You can change the granularity of the output by selecting the View By type. These options determine whether to check a user’s direct permissions or permissions granted by groups the user belongs to, as described below:

  • Groups & Users Direct Permissions: This view displays direct Users’ and Groups’ permissions but does not display the Group members.
  • Users Direct & Group Membership Permissions: This view displays user permissions based on direct permission, group membership, and nested group membership. This view doesn't list the users in the groups Everyone and Authenticated Users.
  • Everyone Groups Expanded, Users Direct & Group Membership Permissions: This view displays user permissions based on direct permission, group membership, and nested group membership, including listing the members of the Everyone and Authenticated Users groups.

Note

In the permission forensic screen, the View By field can be changed after setting or restoring the filter.

Mark Stale Permissions

Select the time period for stale permissions. The user permissions that were not used for a given time (time period is configurable) are marked in red.

By default, when you select a business resource (BR) to scope its permissions, only the direct BR permissions (not the child BR permissions) display.

Special Groups - Group Entity Type

When creating a filter, you can select the group entity type from the Field field.

In Windows-based environments, the user groups are:

  • Everyone: Includes all users.
  • Authenticated Users: Includes all users without a guest.
  • Domain Users: Includes a group with all users in the domain. By default, any user created is a member of this group, though it is possible to remove that user.

Owner Permission Field

File Access Manager permissions forensics allows identification and tracking of Owner permissions in the File Access Manager interface:

  • A proprietary column, called "Is Owner Permission", indicates whether a given permission is an Owner permission.
  • A proprietary query attribute is dedicated to filtering Owner permissions, allowing queries and/or reports listing the owners of resources.

Permission Scan for Business Resource

The Permission Scan collects security information from the scanned Business Resources (BRs) and stores it in the File Access Manager database. This includes:

  • Which users or groups have access to the BR.
  • Whether the access is inherited.
  • The types of access such as read, write, full control, etc., depending on the application type.

When requesting a permission scan, you can set the resources to scan, and the number of levels below the requested BR to scan.

To open the Permission Forensics Screen:

  1. Navigate to Forensics > Permissions.

  2. From the Global Options dropdown menu, select Start Permission Scan.

    This will open the Permission Scan panel. Select the scan level:

    • This Business Resource only
    • This Business Resource and levels 'Level 1-4' and 'All Levels'

  3. Click Scan to start the scan, or Cancel to return to the Permission Forensics screen.

DFS Support

For DFS resources, the Permission Forensics table will show the physical, as well as the logical path of resources.

You can create a filter for DFS resources by logical path only. To select a logical path, select Resource on the Select Field drop down menu, then navigate to the required path on the resource tree on the Select Resource dropdown menu. (See Searching for Resources Using a Resource Tree).

Removing Explicit Permissions Using the Permission Forensics Page

This process will revoke explicit permissions from non-normalized resources that are configured for access fulfillment. Permissions that are inherited will not be removed.

  1. Navigate to Forensics > Permissions.

  2. Set a filter, as described in Filters: Creating and Editing a Forensics Query.

  3. Select Apply to run the filter.

  4. Set the View to Groups and Users direct permissions.

  5. In the permission results, select the permission rows to remove by clicking the checkbox on the row.

    Before selecting which permissions to remove, be sure that:

    • The Application in which the BR resides is configured to support Access Fulfillment for Direct Permission Removal. Refer to the "Access Fulfillment for Removal of Explicit Permissions" for more information on how to configure removal of explicit permissions.
    • The permission is defined directly on the BR. Verify the value in the Is Inherited column is False.
    • The selected permission is not a normalized group, created and managed by File Access Manager.

  6. Select Revoke Explicit Permissions.