Configuring the Permissions Collector

  1. To open the Permissions Collector Configuration wizard:

    1. Click Open Permissions Collection Wizard at the end of the Homegrown Application definition, or by

    2. Select a homegrown application to the context by double-clicking on it, and then clicking on Permissions Collection.

The Permissions Collection Wizard displays.

  1. Click Next to open the Identities Collection window.

    Use Existing Collector

    Select a collector from the dropdown list

    Edit the Selected Identity Collector

    To edit an existing collector

    Create a New Collector

    To create a new collector

  2. If you want to create a new collector, click This application uses Groups check box in the Groups Configuration section if applicable. Unchecking this box precludes the need to map the Group data or Group Permission types of Business Resource relations and you can skip those steps in the wizard.

If you chose to create a new collector, the page Identity Collector: Users Collection
(1 of 3) displays.

Under Main Data Source, the Data Source displays automatically.

  1. Under Mandatory Fields, select a User Name from the dropdown menu.

  2. Under Optional Fixed Fields, check the check box next to each relevant optional fixed field, and select the field from the corresponding dropdown menu.

  3. Click Next to open the User Collection (2 of 3) screen .

  4. Under Fields Mapping, select a field from the Dictionary Field dropdown menu (or if none exists, select Create a new Field next to Fields Mapping).

  5. Select a field from the Mapped Field dropdown menu.

  6. Click Next.

The Identity Collector: Users Collection (3 of 3) displays.

  1. If relevant, under Users Tree, check the Should the users tree be grouped box. This will affect how the users will look in the Users Tree under the Advanced Forensics Control.

  2. If you checked that box, select a field grouping from the Field dropdown menu.

  3. If relevant, under Unique User Accounts Mapping, check the Use a field to map between accounts of the same user box.

  4. If you checked that box, select the field from the Field dropdown menu.

  5. Click Next.

The Identity Collector: Groups Collection (1 of 2) window displays.

Under Main Data Source, the Data Source displays automatically.

  1. Under Mandatory Fields, select a Group Name from the dropdown menu.

  2. Under Optional Fixed Fields, check the check box next to each relevant optional fixed field, and select the field from the corresponding dropdown menu.

  3. Click Next.

The Identity Collector: Groups Collection (2 of 2) displays.

  1. Under Fields Mapping, select a field from the Dictionary Field dropdown menu (or if none exists, click Create a new Field next to Fields Mapping.

  2. Select a field from the Mapped Field dropdown menu.

  3. Click Next.

The Groups Hierarchy Support window displays.

  1. Select This Identity Collector uses Groups Hierarchy if relevant.

  2. Under Main Data Source, the Data Source displays automatically.

  3. Under Mandatory Fields, select a Child Group Name and a Parent Group Name from their respective dropdown menus.

  4. Under Mandatory Fields, select a Parent Group Name from the dropdown menu.

  5. Under Optional Fixed Fields, check the check box next to each relevant optional fixed field, and select the field from the corresponding dropdown menu.

  6. Click Next.

The Identity Collector: Users Membership in Groups (1 of 1) window displays.

  1. Under Main Data Source, the Data Source displays automatically.

  2. Under Mandatory Fields, select a Group Domain Name, Group Name, and Username from the respective dropdown menus.

  3. Under Mandatory Fields, select a Parent Group Name from the dropdown menu.

  4. Under Optional Fixed Fields, check the User Domain Name check box if relevant, and select the field from the corresponding dropdown menu.

  5. Click Next.

The Business Resources Collection (General) window displays.

  1. Click This application uses Business Resources if applicable.

    Note: If you do not check this check box, File Access Manager creates a Business Resource (in the background) and associates it with all permissions.

  2. Type the name in the Name field.

  3. Click Next to open the Business Resources collection .

The Business Resources Collection (1 of 2) window displays. Select the data source that contains Business Resource Data type information from the Data Source dropdown menu or click Create a new Data Source to create a new data source.

  1. If you click Create a new Data Source, the Data Source Wizard displays.

  2. Select a resource unique identifier from the Resource Unique Identifierdropdown menu under Mandatory Fields.

  3. This field must identify the Business Resource uniquely (for example C:\Docs\Finance), and should match Business Resource Unique Identifier selected in the User/Group-Permission Type-Business Resource relationships defined in the following steps.

  4. Check the Resource Name check box under Optional Fixed Fields, if applicable, and select the column that represents the source name.

  5. Click Next.

The Business Resources Collection (2 of 2) window displays.

  1. This section allows dynamic field mapping for the Business Resource data type. The relevant fields will be available later for query and display in the Permission Forensics page. You can use it in Access Certification Campaigns and Access Requests to display meaningful information for permission reviewers.

  2. Select a dictionary field from the Dictionary Field dropdown men.

  3. Select a mapped field from the Mapped Field dropdown menu.

  4. Click Next.

The Business Resources Hierarchy Support window displays.

  1. Check the This Business Resources Collector uses Resources Hierarchy check box to support parent-child hierarchy.

  2. Type in a unique identifier for the hierarchical string in the String to be used as a delimiter to break the string into resources field.

  3. An example of a group hierarchy follows:

If the nested groups are:

The Data Source table of parent-child group associations would be:

Parent Group

Child Group

Group A

Group C

Group A

Group D

Group A

Group E

Group C

Group B

Group E

Group F

Group E

Group G

  1. Click Next to open the Permission Types Collection tab.

The Permission Types Collection window displays.

The Permission Type collector is associated with the Application type, so all homegrown applications of the same type will share the same permission type collector, and the same permission types

  1. Check the Edit the selected Permission Type Collector check box to edit the permission type collector.

The Permissions Types Collection (1 of 2) window displays.

  1. Select the data source with information on the Permission Type data type from the Data Source dropdown menu, or click Create a new Data Source.

  2. Select a Mandatory Field from the Permission Type Name dropdown menu.

  3. This field must identify the Permission Type uniquely (for example, Read), and should match the Permission Type Name selected in the User/Group-Permission Type-Business Resource relationships defined in the following steps.

  4. Check optional fixed fields, if applicable, from the Optional Fixed Fields check boxes.

  5. Click Next.

The Permission Types Collection (2 of 2) window displays.

This section allows dynamic field mapping for the Permission Type data type. The relevant fields will be available later for query and display in the Permissions Forensics screen, and you can use them in Access Certification Campaigns and Access Requests to display meaningful information for permission reviewers.

  1. Click Create a new Field under Fields Mapping if applicable.

The Manage Permission Types Data Dictionary window displays.

  1. Type a name in the Name field.

  2. Select a WH Question from the WH Question dropdown menu.

  3. A WH Question will determine under which question this field display in the Advanced Forensics Control under the Permissions > Identity and Permissions Forensics window, when you create a new query.

  4. Click Save to save the new field or click Cancel to return to the previous window.

  5. The Permission Types Collection (2 of 2) window displays again.

  6. Select a dictionary field from the Dictionary Field dropdown men.

  7. Select a mapped field from the Mapped Field dropdown menu.

  8. Click Next to open the Users’ Direct Permissions Collection tab.

In this portion of the Permissions Collector Configuration Wizard, you determine how to import permissions given directly to users. This is done by mapping the relations between sers, permission types, and business resources.

Note: The Name field contains the name you provided.

  1. Click the Map permissions given directly to Userscheck box to map those permissions.

  2. Click Finish if you do not need to map the permissions, or click Next to continue with the Users’ Direct Permissions Collection portion of the wizard.

    If you click Next, the Users Direct Permissions Collection (1 of 1) window displays.

  3. Select the Main Data Source from the Data Source dropdown menu that contains the information on the User-Permission Type-Business Resource relationships or click Create a new Data Source.

  4. Select the mandatory fields from the following dropdown menus:

    • Permission Type Name – this field value must match the permission type name selected in the Permission Type collector.

    • Username – this field value must match the user name selected in the Users Collector defined in the identity collector.

    • Resource Unique Identifier – this field value must match the business resource unique identifier selected in the Business Resources collector.

  5. Check optional fixed fields, if applicable, from the Optional Fixed Fields check boxes.

  6. Click Next to open the Groups’ Direct Permissions Collection tab.

    Groups Direct Permissions’ Collection Tab

    In this portion of the Permissions Collector Configuration Wizard, you determine how to import permissions given to users through rules by mapping the relations between Groups, Permission Types, and Business Resources.

  1. Check the Map permissions given to groups check box if applicable.

Note: The Name field contains the name you provided.

  1. Click Finish if you do not need to map the permissions, or click Next to continue with the Groups Direct Permissions Collection portion of the wizard.

    If you click Next, the Groups Direct Permissions Collection (1 of 1) window displays.

  1. Select the Main Data Source from the Data Source dropdown menu that contains on the Group-Permission Type-Business Resource relationships or click Create a new Data Source.

  2. Select the mandatory fields from the following dropdown menus:

    • Permission Type Name – this field value must match the permission type name selected in the Permission Type collector.

    • Group Name – this field value must match the group name selected in the Groups Collector defined in the identity collector.

    • Resource Unique Identifier – this field value must match the business resource unique identifier selected in the Business Resources collector.

  3. Check Optional Fixed Fields, if applicable, from the Optional Fixed Fields check boxes.

  4. Click Next to open the Permission Collector scheduling tab.

  1. Click Finish if you do not want to create a schedule.

  2. Check the Create a Schedule check box to create a schedule for identities, groups, and permissions collection.

  3. Click Next to open the summary tab.

  1. Click the Run Identities and Permissions Collection Now check box to run the collection.

  2. Click Finish.

    The Permissions Collector Summary window displays.

  3. Check Run Identities and Permissions Collection Now and click Finish.

    An Information window displays to indicate that the system created a Task successfully.

  1. To view the task progress, go to Settings > Task Management > Tasks.

  2. Click OK to end the wizard.

Note: It is possible to reuse the Identity collectors for user, group, and the user-group relationships and the Permission Types collector. However, it is only possible to use the Business Resources collectors and the two Business Resource Relationships collectors once, since they are associated with specific applications. One or more Data Sources collect all the above data types, but there must be a separate mapping from the Data Source to each of the data types.