Skip to content

Endpoints

The following are various types of endpoints that can be accessed by the SCIM API.

Applications

An Application is the name of the File Access Manager component that represents the monitored system (such as Microsoft Outlook, Active Directory, and file servers). File Access Manager monitors and analyzes permissions of built-in applications.

The File Access Manager Server Installation Guide contains a complete list of supported built-in applications.

Endpoint Description:

The API provides information about applications that are configured in File Access Manager. It allows you to retrieve a list of all defined applications (which are configured in File Access Manager) or a specific application.

Business Resources

Endpoint Description:

The API provides information about business resources of the organization (folders, shares, etc.). It enables searching for business resources by folder name (full or partial) across all defined applications (servers) or in a specific application. You can query Business Resource owners using this Endpoint. This endpoint can be used to build a resource tree, using the parentResourceId filter.

Business Resource Type Mapping

One of the returned business resource parameters is type (number). The table below describes the types according to the returned type ID:

The content of the table may vary according to the application types installed.

Business Resource Type ID Business Resource Type Business Resource Type ID Business Resource Type
0 Folder 1 Active Directory Computer
2 Active Directory Container 3 Active Directory Domain
4 Active Directory Group 5 Active Directory OU
6 Active Directory User 7 SharePoint Document
8 SharePoint List 9 SharePoint List Item
10 SharePoint Site 11 Unknown
12 Folder 13 SharePoint Web
14 Exchange Folder 15 Exchange Mailbox
16 Exchange Public Folder 18 UserSAMAccountName
24 Active Directory GPO 25 Active Directory GPO Container
801 Windows Cluster Server Name 908 Google Folder
909 Google User 910 Dropbox Folder
911 Dropbox User 912 Box Folder
913 Box User 914 Box File
950 SharePoint File 951 SharePoint Hidden List
952 SharePoint Hidden Folder 953 SharePoint Hidden File
1000 Active Directory Builtin Domain 1100 Dfs Namespace
1101 Dfs Link    

Capabilities

Capabilities are objects defining access rights within the File Access Manager module.

A Capability includes: - Capability name and description - Rights that each capability has - Users and groups associated with each capability

Endpoint Description

The API retrieves a list of capabilities, including the capability description, the rights each capability includes, and associated users and groups. Optional filters include capability, right, and user names.

DataClassificationCategories

Data Classification categories describe the different types of sensitive data which the File Access Manager can identify, according to the data content and context.

Endpoint Description

The API retrieves a list of all File Access Manager Data Classification categories. An optional filter of category enables calling a single category record.

DataClassificationResults

The Data Classification mechanism provides the ability to discover and classify resources and files containing sensitive information, according to configurable rules and policies.

Endpoint Description

For each resource requested, this endpoint returns an object including the file name, policy, rule, and categories that triggered the classification for this file, as well as the number of times a category match was found. This endpoint supports DFS addresses, if the DFS applicationId is requested.

IdentityUsers

Identities are collected from different identity repositories, such as Active Directory, Azure, and NIS. This information is used in Permissions Collection, as well as to analyze users, the relation between users, groups, users’ membership in groups, the structure of groups, and other information.

Endpoint Description

The API provides information about the Identity Users collected by File Access Manager’s Identity Collectors. It allows querying them and changing their business resources’ ownership.

KPIs

Endpoint Description

The API returns the count and score of KPIs calculated in File Access Manager. This is a read-only endpoint.

Permissions

Endpoint Description

The API provides information about a user or group’s direct permissions on each business resource.

Unlike other objects, the Permission object does not stand on its own and its ID cannot be used as a filter. This means that getting a permission object by ID is not supported (/Permissions/[identifier]).

The reason there is no ID for a permission lies in the underlying data model of how permissions are stored. Since most application types support an inheritance model, permissions in File Access Manager are stored only for business resources which are uniquely managed.

Uniquely managed business resources are either business resources which do not inherit their permissions, or business resources which inherit permissions but add more on top of them. A business resource which fully inherits its permissions without adding to them, only holds a reference to the parent business resource it inherits the permissions from.

A single permission is uniquely identified by the following attributes: - identity id (either user or group) - identity type - user or group - business resource id - permission type id - inherited - a single user/group can have the same permission on a business resource, once as an inherited permission and another as a non-inherited explicit permission - allow/deny - a single user/group can have the same permission on a business resource, once as an allow permission and another as a deny permission

In some application types, the first four attributes would be enough to uniquely identify a permission. These are application types that do not support an inheritance model and allow/deny permissions, or partially support an inheritance model without allow/deny, such as SharePoint, where a business resource can either inherit its permissions or be uniquely managed, but cannot inherit and add on top of it.