Endpoints
The following are various types of endpoints that can be accessed by the SCIM API.
Applications
An Application is the name of the File Access Manager component that represents the monitored system (such as Microsoft Outlook, Active Directory, and file servers). File Access Manager monitors and analyzes permissions of built-in applications.
The File Access Manager Server Installation Guide contains a complete list of supported built-in applications.
Endpoint Description:
The API provides information about applications that are configured in File Access Manager. It allows you to retrieve a list of all defined applications (which are configured in File Access Manager) or a specific application.
Business Resources
Endpoint Description:
The API provides information about business resources of the organization (folders, shares, etc.). It enables searching for business resources by folder name (full or partial) across all defined applications (servers) or in a specific application. You can query Business Resource owners using this Endpoint. This endpoint can be used to build a resource tree, using the parentResourceId
filter.
Business Resource Type Mapping
One of the returned business resource parameters is type (number). The table below describes the types according to the returned type ID:
The content of the table may vary according to the application types installed.
Business Resource Type ID | Business Resource Type | Business Resource Type ID | Business Resource Type |
---|---|---|---|
0 | Folder | 1 | Active Directory Computer |
2 | Active Directory Container | 3 | Active Directory Domain |
4 | Active Directory Group | 5 | Active Directory OU |
6 | Active Directory User | 7 | SharePoint Document |
8 | SharePoint List | 9 | SharePoint List Item |
10 | SharePoint Site | 11 | Unknown |
12 | Folder | 13 | SharePoint Web |
14 | Exchange Folder | 15 | Exchange Mailbox |
16 | Exchange Public Folder | 18 | UserSAMAccountName |
24 | Active Directory GPO | 25 | Active Directory GPO Container |
801 | Windows Cluster Server Name | 908 | Google Folder |
909 | Google User | 910 | Dropbox Folder |
911 | Dropbox User | 912 | Box Folder |
913 | Box User | 914 | Box File |
950 | SharePoint File | 951 | SharePoint Hidden List |
952 | SharePoint Hidden Folder | 953 | SharePoint Hidden File |
1000 | Active Directory Builtin Domain | 1100 | Dfs Namespace |
1101 | Dfs Link |
Capabilities
Capabilities are objects defining access rights within the File Access Manager module.
A Capability includes: - Capability name and description - Rights that each capability has - Users and groups associated with each capability
Endpoint Description
The API retrieves a list of capabilities, including the capability description, the rights each capability includes, and associated users and groups. Optional filters include capability, right, and user names.
DataClassificationCategories
Data Classification categories describe the different types of sensitive data which the File Access Manager can identify, according to the data content and context.
Endpoint Description
The API retrieves a list of all File Access Manager Data Classification categories. An optional filter of category enables calling a single category record.
DataClassificationResults
The Data Classification mechanism provides the ability to discover and classify resources and files containing sensitive information, according to configurable rules and policies.
Endpoint Description
For each resource requested, this endpoint returns an object including the file name, policy, rule, and categories that triggered the classification for this file, as well as the number of times a category match was found. This endpoint supports DFS addresses, if the DFS applicationId is requested.
IdentityUsers
Identities are collected from different identity repositories, such as Active Directory, Azure, and NIS. This information is used in Permissions Collection, as well as to analyze users, the relation between users, groups, users’ membership in groups, the structure of groups, and other information.
Endpoint Description
The API provides information about the Identity Users collected by File Access Manager’s Identity Collectors. It allows querying them and changing their business resources’ ownership.
KPIs
Endpoint Description
The API returns the count and score of KPIs calculated in File Access Manager. This is a read-only endpoint.
Permissions
Endpoint Description
The API provides information about a user or group’s direct permissions on each business resource.
Unlike other objects, the Permission object does not stand on its own and its ID cannot be used as a filter. This means that getting a permission object by ID is not supported (/Permissions/[identifier]
).
The reason there is no ID for a permission lies in the underlying data model of how permissions are stored. Since most application types support an inheritance model, permissions in File Access Manager are stored only for business resources which are uniquely managed.
Uniquely managed business resources are either business resources which do not inherit their permissions, or business resources which inherit permissions but add more on top of them. A business resource which fully inherits its permissions without adding to them, only holds a reference to the parent business resource it inherits the permissions from.
A single permission is uniquely identified by the following attributes: - identity id (either user or group) - identity type - user or group - business resource id - permission type id - inherited - a single user/group can have the same permission on a business resource, once as an inherited permission and another as a non-inherited explicit permission - allow/deny - a single user/group can have the same permission on a business resource, once as an allow permission and another as a deny permission
In some application types, the first four attributes would be enough to uniquely identify a permission. These are application types that do not support an inheritance model and allow/deny permissions, or partially support an inheritance model without allow/deny, such as SharePoint, where a business resource can either inherit its permissions or be uniquely managed, but cannot inherit and add on top of it.