Access Fulfillment for Unmanaged BRs

For unmanaged BRs, the user can either create a custom script for access fulfillment, or create manual process. This manual process includes fulfillment and review. using a static, single-level access fulfillment process. Manual fulfillment must be defined To handle unmanaged BRs, either an access request path or an access certification path must first define manual fulfillment on unmanaged BRs.

To run manual access fulfillment on an unmanaged business resource through the Access Request path:

  1. In the administrative client, navigate to Access Requests > Configuration > Manage Access Request Templates.

  2. Complete the Access Request Template, described in Creating an Access Request Template.

To run manual access fulfillment on an unmanaged business resource through an Access Certification path:

  1. In the Web Client, navigate to Compliance > Access Certification > Campaign Templates.

  2. Complete the Access Certification Template, as discussed in Campaign Templates.

  3. Select either None or Fulfill Permissions Revoke Requests from the dropdown menu in the Fulfillment field.

If you selected Fulfill Permissions Revoke Requests in the previous step, select a review process from the Manual Fulfillment Review Process field.

Note: The system assigns a one-step review process for manual fulfillment to Access requests for non-managed resources and identity collectors.

Access Fulfillment Advanced Forensics Control (AFC) Filter, has additional information on forensics control.

Different applications and permission mechanisms may interpret Owner permission differently. The table below describes the permission types that File Access Manager treats as an Owner permission. For each platform, the Owner permission is defined and named (queried by the listed name in the AFM query filter controls).

Owner Permission Types

Permission Scheme

Description

Microsoft ACL

Microsoft Access Control Lists contain a special field that indicates the owner user / group) of the resource (for example, a file or a folder).

There can be only one entity defined as the Owner (but that Owner can be a group).

Since an Owner has full control of the ACL, the Owner effectively grants all permissions.

The Microsoft ACL Owner applies to:

  • Windows File Server

  • Active Directory

  • Microsoft Exchange / Microsoft Exchange Online

  • NetApp – CIFS

  • EMC Celerra – CIFS

  • EMC Isilon – CIFS

Unix

When a file(/folder) is created in Unix/Linux, its creator is automatically set as the Owner.
Permissions are categorized by:

  • Owner

  • Users in the Owner’s group

  • Other Users

There can only one owner user and one owner group per file/folder.

Since only the Owner (or root) can change file permissions, an Owner effectively grants all permissions.

The Unix file system Owner applies to:

  • NFS (when using Unix permissions, but not NFSv4 ACLs)

  • NetApp – NFS

  • EMC Celerra – NFS

SharePoint

A SharePoint server features Site Collection containers, which function as separate entities, and permission scopes. Different Site Collections may have different users, groups, and permission types.

One or more users in a Site Collection may be defined as a Site Collection Administrator. The Administrator has full control of the resources in the Site Collection’s inner structure.

The SharePoint Site Collection Administrator applies to:

  • Microsoft SharePoint

  • Microsoft SharePoint Online

  • Microsoft OneDrive

Cloud Storage Providers

Typically, cloud storage providers include a permission type named “Owner” which grants full access rights to the resource (file, folder etc.).

The generic Owner permission is employed in:

  • Box.com

  • Dropbox

  • Google Drive