DATADVANTAGE 6.3. User Guide

Size: px

Start display at page:

Download "DATADVANTAGE 6.3. User Guide"

Chester Dixon
5 years ago
Views:

1 DATADVANTAGE 6.3 User Guide

2 Publishing Information Software version Document version 9 Publication date May 22, 2017 Copyright (c) Varonis Systems Inc. All rights reserved. This information shall only be used in conjunction with services contracted for with Varonis Systems, Inc. and shall not be used to the detriment of Varonis Systems, Inc. in any manner. User agrees not to copy, reproduce, sell, license, or transfer this information without prior written consent of Varonis Systems, Inc. Other brands and products are trademarks of their respective holders.

3 CONTENTS Chapter 1: DatAdvantage...1 Terminology... 1 Target Audience...5 Related Documentation...5 Chapter 2: Basic Concepts...6 File Server Probe... 6 File Server Event Data Collection... 6 File Server Structure Data Collection...7 Handling of Events on the Same Entity...7 Directory Service Probe... 7 IDU Server...8 Active Directory Data Collection... 8 DatAdvantage Data Aggregation... 8 Bidirectional Clustering... 9 IDU Analytics... 9 DatAdvantage Management... 9 Risk Assessment Permission Management Auditing and Reporting...10 Events and Usage Policies User Roles, Permissions and Security Model Abstract Entities Ownership and Custodianship Custodians and Owners vs. Application Roles UI Visibility Limitations for Owners and Custodians...25 Custodians, Owners and Reports Multiple Owners Ownership Inheritance Directory Service Account Management...29 Share Visibility in DatAdvantage Synchronization of Ownership with DataPrivilege...30 Accessibility for Color Blind Users Chapter 3: Workflows...32 Reviewing and Applying Analysis Recommendations Reviewing Known Data By Folder...32 Reviewing Known Groups...32 Reviewing Similar Data Validating and Applying Changes Identifying Unusual Behavior Using DatAdvantage to Move from Share to NTFS Permissions...35 Reviewing Activities Using DatAdvantage to Understand Security Changes iii

4 CONTENTS Chapter 4: Getting Started Starting DatAdvantage DatAdvantage's Graphical User Interface DatAdvantage Views Menus and Toolbar...42 DatAdvantage Status Bar Displaying the DatAdvantage Legend...44 Keyboard Shortcuts Closing DatAdvantage Chapter 5: Common Activities Setting User Interface Display Options...53 Switching Views Selecting Resources Showing and Hiding Window Panes Using the Current Active Entity List...56 Using the Directory Services Search Dialog Box...57 Using the Directory Picker Dialog Box Navigating Directories and Files...59 Searching for Directories and Files...59 Understanding Logical and Physical Views...59 Focusing on Directories and Files by View State...62 Viewing the Tree According to Permission Types Grouping Exchange Entities Showing and Hiding Management Indicators Showing and Hiding Deduplication Indicators...66 Viewing Columns in the Directories Pane Filtering Directories and Files Clearing Filters Navigating User and Group Lists Reloading User or Group Information Arranging Users and Groups Filtering User and Group Lists...70 Switching between Parent and Child Views...71 Viewing Users and Groups According to Permission Types...73 Selecting Display Name Settings for Users or Groups Showing or Hiding Managed Group Indicators...74 Showing or Hiding Inactivity Indicators...75 Showing or Hiding Excluded from IDU Analytics Indicators...75 Editing the Displayed Columns Selecting Organizational Units Moving Users and Groups to the Top of the List Searching for Users or Groups...79 Viewing Azure Active Directory Objects in the Users & Groups Pane...79 Managing Ownership and Custodianship About Uploading Owners...81 Assigning Owners, Custodians and Entities Throughout the System...84 iv

5 CONTENTS Assigning Managed Entities to a Single Owner Adding Managed Resources to a Single Group Setting Ownership on a Group Assigning Owners to a Single Managed Directory Dragging and Dropping Owners and Entities Filtering the Managed Entities List Replacing or Cloning Owners Throughout the System...99 Removing Owners or Custodians from Entities Exporting Owner Lists to CSV About Change Management and Commit What Should Be Committed Committing Changes on SharePoint File Servers Accessing the Change Management and Commit Window Managing Pending Changes Managing Commit Processes Exporting Changes and Processes to CSV Editing the Displayed Columns Archiving Events, Statistics and Committed Processes Selecting Events, Statistics and Committed Processes Archiving Events, Statistics and Committed Processes Restoring Archived Data Restoring Data Per User Deleting Archived Data Managing IDU Servers Adding IDU Connections Removing IDU Connections Configuring Dictionaries Adding Dictionaries Editing Dictionaries Cloning Dictionaries Removing Dictionaries Setting Entities as Monitored or Unmonitored Using Follow-up Indicators Configuring Follow-up Indicators Uploading Follow-Up Indicators Clearing Follow-Up Indicators Managing Flags Managing Tags Managing Notes Setting Entities as Included or Excluded from Analysis Working with Lists and Tables Sorting Lists and Tables by Column Grouping Lists and Tables by Column Ungrouping Lists or Tables Viewing History of Deleted Entities Viewing Entity Properties v

6 CONTENTS Opening the Management Console Advanced Searching Accessing Advanced Search Criteria Selecting the Data Source Setting the Time Frame for a Search Selecting a Search Mode Adding Grouping Criteria Nesting Groups and Filters Adding Filters Defining Filter Attributes Changing Operators Changing the Type of an Existing Group or Filter Including and Excluding Groups from the Filter Removing Groups or Filters Capping the Search Results Saving Defined Searches Loading Defined Searches Resetting the Advanced Search Criteria Chapter 6: Work Area Understanding the Work Area Viewing Permissions Viewing Permission Sources Viewing Permission Sources Causing Access Errors Viewing Recommendations Managing Permissions Editing Permissions on Windows Directories and Files Editing Permissions on Unix Directories and Files Editing Permissions and Permission Levels in On-Premises SharePoint and SharePoint Online Editing Permissions and Permission Levels in Exchange Viewing Directory Service Permissions Managing Directories and Files Creating Groups with Permissions to Directories Adding Users or Groups to Directories and Files Locating Mailbox Owners Locating Directory Service Objects in the Users & Groups Pane Creating a Folder Automatically Recognized by DatAdvantage Managing Permission Flags Adding Protection to a Directory or File Removing Protection from Directories and Files Removing Non-Inherited Permissions from Directories and Files Managing Users and Groups Creating Groups Deleting Groups Adding Users to Groups Removing Users from Groups vi

7 CONTENTS Restoring Relationships between Users and Groups Restoring Recommendations to Remove Users from Groups Adding Group Membership to Users Removing Group Membership from Users Locating an Entity's Mailboxes Locating Domain Users and Groups Creating a User Account Setting General User Properties Setting User Account Properties Defining Mailbox Settings Setting Additional User Properties Setting Group Membership Editing a User Account Copying a User Account Creating Groups Add Members of An Existing Group to Another Existing Group Deleting User and Computer Accounts Deleting Users and Computers through the Account Management Button Deleting User and Computer Accounts through the Context Menu Resetting Passwords Resetting Passwords through the Account Management Button Resetting Passwords through the Context Menu Unlocking User Accounts Unlocking User Accounts through the Account Management Button Unlocking User Accounts through the Context Menu Disabling and Enabling Entities Disabling and Enabling Entities through the Account Management Button Disabling and Enabling Entities through the Context Menu Moving Entities Moving Entities through the Account Management Button Moving Entities through the Context Menu About Synchronization Synchronizing Recommendations Synchronizing Ownership with DataPrivilege About Synchronization and DataPrivilege Base Folders About the Errors Pane Working with the Expected Access Errors Pane Fixing Directory Errors Chapter 7: Review Area Understanding the Review Area Viewing Permission Status Synchronizing Recommendations Working with the Expected Access Errors Pane Viewing Edit History Chapter 8: Statistics View Generating Statistics for Resources vii

8 CONTENTS Generating Resource Statistics for Activity By Date Generating Resource Statistics for Directory Utilization Generating Resource Statistics for User Utilization Generating Resource Statistics for Inactive Users Generating Resource Statistics for Least Active Users Generating Resource Statistics for Unmanaged Directories and Resources Generating Statistics for Directories Generating Directory Statistics for Activity By Date Generating Directory Statistics for Subdirectories Generating Directory Statistics for User Access Generating Directory Statistics for Inactive Users Generating Directory Statistics for Least Active Users Generating Directory Statistics for Inactive Directories Generating Directory Statistics for Managed Folders Generating Statistics for Users and Groups Generating User and Group Statistics for Activity By Date Generating User and Group Statistics for Directory Utilization Generating User and Group Statistics for User Activity Jumping to Other Views from the Statistics View About Ownership Management Through the Statistics View Setting Owners Automatically Drill-down Operations for Statistics Chapter 9: Logs View Viewing Logs Adding and Removing Log Columns Log Columns Exporting Log Results Saving Log Results Loading Log Results Printing Logs Minimizing and Maximizing the Query Pane Jumping to Report a Chapter 10: Alerts View Viewing Alerts About Alert Analysis Analyzing Alerts Inappropriate Access Chapter 11: Reports View About the Reports List Finding Reports in the Reports List Using the Reports List Accessing the DatAdvantage Operational Log About Report Templates Creating Report Templates Editing Report Templates Deleting Report Templates viii

9 CONTENTS Working with Reports Showing and Hiding the Report Search Pane Switching Report Views Previewing Reports Working with the Table View Exporting Reports Subscribing to Reports Delivery Parameters Tab Filter Configuration Tab Scheduler Tab Managing Your Subscriptions ix

10 1 DATADVANTAGE Varonis DatAdvantage is an analytic software-based solution for data usage management. With Varonis DatAdvantage, organizations can see, understand and manage who is using data, to control data access and enforce compliance with data usage policies to meet business needs. Varonis DatAdvantage addresses the growing need for regulating data usage within organizations, enabling full visibility and accountability of data usage across legal, financial, data security, intellectual property and data privacy requirements. Terminology The following terms are used with regard to DatAdvantage: Term Definition ACE Access control entry. A list or table containing entries that specify individual user or group rights to specific system objects, such as a program, a process, or a file. ACL Access control list. A list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. In a typical ACL, each entry in the list specifies a subject and an operation: for example, the entry (Alice, delete) on the ACL for file XYZ gives Alice permission to delete file XYZ. Admin account An account used by administrators. These usually have higher privileges than regular users. Admin accounts are defined as privileged accounts in the Management Console. Can be: Enduser, user, computer, service or executive accounts. Asset The item displayed at the level of a volume in DatAdvantage: CIFS file servers - Either a volume or a monitored share SharePoint - Site collection Exchange - Mailbox store or public folders Directory services - Usually the domain Base folder The root managed folder. A storage folder that is managed by one or more data owners. Can only be defined by administrators. Contains managed directories. 1

11 Chapter 1 DATADVANTAGE Term Definition Behavioral profile A collection of the standard metadata that Varonis gathers for all users and their activities in the computing environment. When this metadata is accumulated over the course of several months, user behavior analysis (UBA) can identify atypical user behavior, which may indicate malicious intent. Computer An account used to represent a computer. Can be: Service or Admin accounts. Data Classification Framework (DCF) A special layer of metadata that enables classifying unstructured data to assist organizations in protecting and governing their data. Delegated task A predefined set of permissions granted to a user or a group. With these permissions, users or groups can perform specific tasks, such as managing users, groups, computers, organizational units, and other Active Directory objects. Control of Active Directory objects can be delegated by using the Delegation of Control Wizard in the Active Directory Users and Computers snap-in. Distinguished unique directory or file An object that has effectively different permissions than its parent permissions. Both unique and distinguished unique objects are marked with the standard unique icons. Domain local group A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain in which the domain local group is located. End-user account All accounts that are not service, computer or group accounts. Can be: Admin, executive or user accounts. Entity A "monitored" object in the IDU framework. This includes directories, users, groups, OUs, domains and resources (file servers). Error Errors occur when IDU Analytics makes a recommendation to remove access, or an administrator manually removes such access, to data that is later retrieved by a user. Executive account An account used by a company executive. Executive accounts are defined as privileged accounts in the Management Console. Can be: End-user, user or Admin accounts. 2

12 Chapter 1 DATADVANTAGE Term Definition Existing User/ Group Describes the users and groups that currently exist in the Active Directory environment. This information comes from existing entities in Active Directory, and represents actual group membership and nested groups. Global group A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain. IDU Server A database that provides Active Directory data and recommendations from IDU Analytics. It also contains information used by the DatAdvantage user interface (UI), including data about Probes and file servers, and roles for users accessing DatAdvantage. Inherited permissions Inherited permissions represent rights that are received from parent directories. Owner A user who can view and manage all actions regarding the application and the entities assigned to him or her. Permission A rule that is associated with an object to regulate which users or groups can gain access to the object and in what manner. Permission level A set of permissions that can be granted to users or groups on an entity such as a site, list, folder, item, or document. Used primarily in SharePoint and Exchange. POSIX ACLs ACLs that comply with the POSIX specifications for user and software interfaces to an operating system. Probe A server that monitors file servers for file events, and records the data in a SQL database. The Probe also scans the file structure of the target file server. One probe is capable of monitoring multiple servers for events. Protected directory or file A protected directory or file does not inherit any permissions from its parent directory. The entity's icon is decorated with a lock. 3

13 Chapter 1 DATADVANTAGE Term Definition Recommended User/Group Describes the appearance of users and groups in the Active Directory, based on recommendations derived from IDU Analytics and manual administrator changes in the virtual environment. These are only recommendations and do not directly reflect the actual representation in the Active Directory. Resource The representation of a file server in DatAdvantage. Views in DatAdvantage are grouped by file server for easy retrieval of information. Service account An account used to automatically run processes (for example, scheduled tasks, applications, and so on). Service accounts are defined as privileged accounts in the Management Console. Can be: Admin, computer or user accounts. UBA See User Behavior Analysis. User All accounts that are not computer or group accounts. Can be: Admin, executive, service or end-user accounts. User Behavior Analysis User Behavior Analysis enables: Identifying a specified sequence of events Correlating such events with additional data that is not available in the events themselves Differentiating between regular and abnormal user behavior This analysis is the foundation of a behavioral profile. Unique directory or file Unique permissions are explicitly assigned to a specific directory or file and are not inherited from permissions assigned to a parent directory. In DatAdvantage, directories and files with these permissions are represented by a user icon. This also applies to a directory or file that has inherited some permissions from the parent, but also has additional permissions assigned directly to it. A file system object may have an ACL that is the same as that of its parent, even though there is no conventional inheritance relationship between the objects and the parent is marked as unique. DatAdvantage marks such an object as unique-equal, to indicate the identical ACLs. The other unique folders, which are not unique-equal, are marked as distinguished unique. 4

14 Chapter 1 DATADVANTAGE Term Definition Universal group A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not supported for Windows Target Audience This user guide is intended for the following users: System Administrators managing the organization's Active Directory and file servers Help Desk operators managing users and permissions IT management Compliance and finance users - Users who need to apply access policies as well as obtain forensic information on past activity Security analysts Related Documentation Metadata Framework Filters Metadata Framework Installation Prerequisites and Requirements Metadata Framework Installation Guide Metadata Framework Release Notes Metadata Framework Reports 5

15 2 BASIC CONCEPTS DatAdvantage comprises three components: The DatAdvantage Probe, DatAdvantage IDU Analytics and the DatAdvantage Management UI. File Server Probe The File Server Probe is a non-intrusive probe that transparently collects file server events to continuously track data usage and user directory structure. By collecting actual data usage information, the File Server Probe provides coverage of what data is currently available to users across an unlimited number of users and data, as well as what data is actually being accessed and used, for full and accurate usage visibility. File Server Event Data Collection The File Server Probe is interoperable with standard Information Lifecycle Management and Network Attached Storage environments, including NetApp and Microsoft file servers. The File Server Probe is completely transparent to system operations. All data collection processes are continuously monitored, and terminated immediately if performance degradation is detected, ensuring completely non-intrusive probing. ILM/NAS Environment File Server Probe AIX Collects file server event information through the Varonis driver. EMC Celerra NAS Collects file server event information through Windows auditing. EMC Celerra CEPA Collects file server event information through the event enabler framework. EMC Isilon Collects file server event information through the event enabler framework. Exchange Collects file server event information through the Varonis driver. Hitachi NAS Collects file server event information through Windows auditing. 6

16 Chapter 2 BASIC CONCEPTS ILM/NAS Environment File Server Probe HP-NAS Collects file server event information through the Varonis driver. MS File Server Collects file server event information through MS- IFS (file server filter). Network Appliance Collects file server event information through an FPolicy API. SharePoint Collects file server event information through the Varonis driver. Sun Solaris Collects file server event information through the Varonis driver. Unix/Linux Collects file server event information through the Varonis driver. File Server Structure Data Collection In addition to collecting file access events, the file server Probe periodically collects information about the directory structure and access control lists for each of the monitored file servers. This part of the data collection happens based on a configurable schedule. Handling of Events on the Same Entity DatAdvantage event collection is designed for the greatest efficiency, with minimal impact on performance. This goal of economical processing means DatAdvantage filters and aggregates events to provide the most cost-effective means for organizations to gain insight into their data usage. Along with other methods designed to streamline data governance, the Probe's event collection mechanism handles events as follows: Events gathered for the same entity made by the same user at the same time are filtered, so that only one event is recorded in the system. Events are aggregated on a daily basis, so that the Event Count displays the number of times the same event occurred (with the first and last times at which it occurred). Directory Service Probe The Directory Service Probe is a non-intrusive probe that transparently collects directory service events to continuously track changes to the organization's user directories. 7

17 Chapter 2 BASIC CONCEPTS The Directory Service Probe is completely transparent to system operations. All event collection processes are continuously monitored, and terminated immediately if performance degradation is detected, ensuring completely non-intrusive probing. Directory Service probing includes support for the following events: Creation and deletion of all objects Changes in group membership Changes in directory service object properties, with regard to users and groups, for any property Note: Due to standard Microsoft behavior, Modify events may be recorded for all the fields in a modified object, not only those that were changed. In addition, when a directory service object is created, many Create and Modify events are recorded on the object's fields. The Metadata Framework supports only auditing of directory service events. The DCF does not support probing directory services. The Directory Service Probe collects event information through a combination of the Microsoft directory service audit feature combined with the DC's security log. IDU Server The IDU Server is a database that provides Active Directory data and recommendations from IDU Analytics. It also contains information used by the DatAdvantage user interface (UI), including data about Probes and file servers, and roles for users accessing DatAdvantage. Active Directory Data Collection IDU Analytics is interoperable with standard Active Directory and NT domain servers, collecting user, group, and OU structure information to maintain an updated organizational tree and user groups. This part of the data collection is based on a configurable schedule. See the Management Console User Guide for information on schedule configuration. DatAdvantage Data Aggregation DatAdvantage event collection is designed for optimal efficiency, with minimal impact on performance. This means DatAdvantage filters and aggregates events to provide the most efficient means for organizations to gain insight into their data usage. DatAdvantage data collection receives data from the monitored sources (such as EMC CEPA) as they send them, dependent on the mechanism associated with the data source. This mechanism is outside the control of DatAdvantage (e.g., EMC CEPA typically sends events some seconds after they occur, or when its buffer is full). While these events are stored in tables on the Varonis Probes as they are received, they are not immediately visible in the user interface. They are made available after several database 8

18 Chapter 2 BASIC CONCEPTS processing and transfer jobs are run (scheduled to run nightly by default). These jobs can be triggered manually, if necessary. In general, DatAdvantage collects and normalizes all events. Within a one-day period, all events of a discrete type (Open, Create, Modify, etc.), generated by a discrete user, on a discrete object (file, folder, message, etc.) appear in the user interface. Duplicate events - those events occurring on the same day and whose type, user, and object are identical - are displayed as increments to a counter, "Event Count." All events are aggregated on a daily basis, so that the Event Count displays the number of times the same event occurred (with the first and last times at which it occurred). The following are exceptions to this rule: Modify and Open events associated with temporary files are filtered immediately by the Probe. Note: Temporary events are those associated with objects that are created and deleted within a "count-time frame" (default is 5 minutes). Duplicate Open, Modify and Set Security (i.e., change permissions, or chmod) events occurring within the same minute are omitted, so that only one event is recorded in the system. The oneminute time frame is determined based on real time between seconds A buffer of 10 events (the default) is maintained and checked against various event filtering patterns. If no events in the buffer match an event filtering pattern, the buffer is emptied and the events are sent to the Probe without being filtered. Bidirectional Clustering DatAdvantage performs bidirectional clustering on both data and users. It thereby creates multilevel classifications to deliver a full understanding of data usage, automatically eliciting what data belongs to whom and what data is actually needed to meet specific business objectives. Using a robust set of profiling criteria, DatAdvantage continuously maps data-user relationships, tracking changes in behavior over time so that administrators can dynamically match user classification and access control with data usage compliance needs. DatAdvantage provides a set of recommendations based on very accurate behavioral analysis, allowing access control to be aligned with the business needs. IDU Analytics DatAdvantage IDU Analytics intelligently aggregates and clusters data events and directory structure information to accurately profile and classify data usage. DatAdvantage automatically maps data to users, and vice versa, making sense of data usage patterns to provide an understanding of data owners and who should be accessing data while pinpointing potential data usage risks. DatAdvantage Management DatAdvantage Management is a user interface (UI) for managing all aspects of data usage across the enterprise, including risk assessment, permission management, auditing and reporting. 9

19 Chapter 2 BASIC CONCEPTS Delivering complete usage visibility, DatAdvantage Management enables simple exploration of data usage via interactive graphical views based on users, data, and their inter-relationships. Risk Assessment DatAdvantage maps actual data usage with users to automatically analyze and evaluate data risks, highlighting potential mismatches between sensitive data and permissions and recommending classification changes, based on true usage behavior. With DatAdvantage, administrators can accurately profile data and users, creating accurate classifications to ensure access control and usage compliance. Permission Management DatAdvantage enables centralized updating of permissions, streamlining access control management and ensuring enforcement across an unlimited number of nested users, data sensitivity levels and business processes. Auditing and Reporting DatAdvantage affords granular and customized views of data usage patterns, enabling auditing and reporting based on any combination of users, data, time period, and business process criteria. With DatAdvantage, system and administrators can zoom out to explore macro data usage patterns to understand data usage trends, or hone into specific usage events to document and capture specific details. DatAdvantage auditing information can easily be exported into tabular and graphical formats, and may be automatically compiled into user-defined periodic reports. Windows Auditing Caveats The Windows operating system has evolved quite a bit over the past several versions. Unlike early iterations, it now provides a number of advanced features that, in providing a rich user experience, may occasionally cause DatAdvantage to return false positives - that is, DatAdvantage may indicate a particular user has accessed a file even though the user believes he has not done so. Some examples of these advanced features, primarily available in Windows Vista and higher, include: Content search Thumbnail views Preview panes False positives occur because Windows Explorer must actually open a file's data stream and peek inside to enable the advanced OS features mentioned above. Whether the user purposely opens a file or Windows Explorer does it for him during a content search, the file is, in fact, accessed and the event is recorded as such by DatAdvantage. 10

20 Chapter 2 BASIC CONCEPTS Events and Usage Policies DatAdvantage events enable the definition of thresholds and policies to continuously track data usage compliance across business processes, generating alerts for user violations, by data sensitivity levels. 11

21 Chapter 2 BASIC CONCEPTS User Roles, Permissions and Security Model DatAdvantage provides several basic predefined application roles: Enterprise Manager - Has full control over the DatAdvantage environment, including all required operations. Power User - Can edit and manipulate changes on the admin set, and after reviewing them, commit them to the actual environment. System Administrator - Maintain DatAdvantage through its configuration window. Cannot edit or commit changes on the actual data. User - The most basic role within DatAdvantage, a regular user can only view data. While all roles can view entities in DatAdvantage, the following operations can only be performed by certain roles: Configuration Edit/Commit All basic roles can generate reports. In short: Role/Operation View Objects Configuration Edit/Commit Reports View Classification Results Window Enterprise Manager Power User System Administrator User It is also possible for users to be members of several additional user roles at once, which provides fine-grained control over user access to various areas of DatAdvantage. The following table lists the possible activities for each of the additional user roles: 12

22 Chapter 2 BASIC CONCEPTS User General Capabilities With the Configuration User With the Commit/Edit User Comments Alerts View user View and analyze alerts Same Same No Jump To options are available DCF and DW Configuration user Open the DCF and DW Configuration window and use it to configure the DCF and DatAnswers. Same Same 13

23 Chapter 2 BASIC CONCEPTS User General Capabilities With the Configuration User With the Commit/Edit User Comments Classification Analysis for Unix Files View the classification analysis of all sensitive files on a Unix file server from the Work Area (in the File Results Analysis window). Same Same Only the Enterprise Manager can assign this role to users. Same Same Important: This role allows the user to access the files regardless of the user's permissions. Classification Results View user View the DCF Notes and Violation Count columns in the Directories pane. View the classification context menu in the Work Area. View classificationrelated reports. View subscriptions and templates with DCF columns and filters. 14

24 Chapter 2 BASIC CONCEPTS User General Capabilities With the Configuration User Commit/Edit user View and perform commit operations in the Change Management and Commit window (e.g., commit, discard, view and schedule commit processes). Same DatAlert Configuration user Configure real-time alerts using DatAlert. Same Same DatAnswers Elevated Search user Run searches as another user and view results that the user can view. View all results for a searched term without permission or classification filtering. Same Same DatAnswers user View secure search results in the DatAnswers user interface. Same Same Data Transport Engine Reports user Enables viewing the Category 13 reports Same Same With the Commit/Edit User Comments 15

25 Chapter 2 BASIC CONCEPTS User General Capabilities With the Configuration User With the Commit/Edit User Dictionaries View user View and edit the Dictionaries window. Same Same Directory Services Trends View user Enables viewing the following reports in Category 14: 14d, 14e, 14f, 14g, 14h, and 14i Same Same Edit user Same N/A View and edit permissions and group membership in the sandbox. View changes and commit processes in the Change Management and Commit window. Can discard changes. Cannot commit changes. Can create groups, but cannot perform any other account management activities. Comments 16

26 Chapter 2 BASIC CONCEPTS User General Capabilities With the Configuration User With the Commit/Edit User File System Trends View user Enables viewing the following reports in Category 14: 14a, 14b, and 14c Same Same Comments 17

27 Chapter 2 BASIC CONCEPTS User General Capabilities With the Configuration User With the Commit/Edit User Full Review user Set the Override Object Limitation option in the Management Console. Same Same Logs View user Same Same View logs Run Sync latest events Comments Manage Ownership user Jump To options are available only to screens to which the user has permission Jump to Work Area is only available if the user has the Work Area user role Jump to Log is only available if the user has the Log view-based user role Access the Manage Ownership window. Assign ownership and custodianship without having access to the configuration screens in the Management Console. 18

28 Chapter 2 BASIC CONCEPTS User General Capabilities With the Configuration User With the Commit/Edit User Comments Reports View user Create reports Access the quick view Subscribe to reports Manage subscriptions Set filters on the Filter Configuration tab Set the schedule on the Scheduler tab Configure Active Directory properties on the Active Directory Properties tab Same Same No Jump To options are available View the Review Area View permission status options View the Edit pane View editing history Review Area user View the Review Area View permission status options View the Edit pane View editing history Manage users and groups Manage directories and files View the Review Area View permission status options View the Edit pane View editing history Manage users and groups Manage directories and files Jump To options are available only to screens to which the user has permission Jump to Work Area is only available if the user has the Work Area user role Jump to Review Area is only available if the user has the Review Area user role 19

29 Chapter 2 BASIC CONCEPTS User General Capabilities With the Configuration User With the Commit/Edit User Comments Statistics View user Generate statistics for: Resources Directories Users Groups Generate statistics for: Resources Directories Users Groups Generate statistics for: Resources Directories Users Groups Manage ownership Manage ownership Work Area user View permissions and recommendations Manage users and groups Manage directories and files Manage users and groups Manage directories and files Jump To options are available only to screens to which the user has permission Jump to Work Area is only available if the user has the Work Area user role Jump to Statistics is only available if the user has the Statistics viewbased user role Jump To options are available only to screens to which the user has permission Jump to Work Area is only available if the user has the Work Area viewbased user role Users with multiple roles are granted the highest permissions possible for that combination of roles. This may result in redundancy. For example, the Enterprise Manager role includes all the permissions available to all other roles; it would therefore be redundant to assign other roles to a user who is an Enterprise Manager. A user's role is validated each time the user moves to another screen in DatAdvantage, so that only the areas to which that user has permission are displayed. 20

30 Chapter 2 BASIC CONCEPTS The DatAdvantage authorization model limits the data to which a user has access. For example, a user might be limited to specific resources, OUs, directories, and so forth. All roles are controlled by the security options that are set through the Management Console during configuration. These options function as follows: Enable global flags and tags in DatAdvantage - Select to determine whether global flags and tags can be used in DatAdvantage. Enable assigning global flags to a rule - If the Enable global flags and tags in DatAdvantage is selected, this option becomes available for selection. Select to enable assigning global flags to a file based on DCF rule criteria. The global flags can be assigned to files only. Apply object limitation for users that own both directory objects and file system objects - Select to restrict users from owning both directory objects and file system objects. Enable object limitation for owners and custodians - Select to limit owners and custodians to view only the object hierarchy each one owns. Do not provide activity information to group owners or domain custodians - Select this option to prevent group owners and domain custodians from viewing activity information regarding group members. Regarding reports, this option affects only results displayed in the user interface and data-driven subscriptions. It does not affect regular subscriptions. These must be deleted manually to prevent owners from viewing them. Data-driven subscriptions are not sent to group owners or custodians Activity-based reports (report categories 1 and 2) are not available to group owners or custodians Group owners who are also data owners have access to all relevant information as usual Limit DatAdvantage security configuration to Enterprise Managers only - Select this option to limit DatAdvantage security configuration to Enterprise Manager and exclude users with the Configuration role. 21

31 Chapter 2 BASIC CONCEPTS Abstract Entities Abstract entities are users and groups whose security identifiers (SIDs) are not related to a particular domain (similar to Microsoft's well-known SIDs and implicit groups). IDU Analytics does not take abstract entities into consideration. No recommendations are generated for their members or permissions. Varonis identifies the following abstract groups: Nobody Everyone LOCAL CONSOLE_LOGON Creator Owner Creator Group Creator Owner Server Creator Group Server OWNER_RIGHTS Dialup Network Batch Interactive Service ANONYMOUS LOGON Proxy Enterprise Domain Controllers SELF Authenticated Users RESTRICTED Terminal Server Users IUSR SYSTEM Local Service Network Service WRITE_RESTRICTED NTLM Authentication SChannel Authentication Digest Authentication Other Organization Remote Interactive Logon This Organization Unknown User Unknown Group NT SERVICE\TrustedInstaller 22

32 Chapter 2 BASIC CONCEPTS Other Default This Organization Certificate Ownership and Custodianship Ownership can be assigned to any entity in DatAdvantage. Once a user is assigned to be an owner, that user can view and manage all actions regarding the application and the entities assigned to him or her. Except for a user defined as a custodian, any user in the Active Directory from any domain may be an owner. The following entities can be managed, regardless of their presentation: (that is, as tree nodes, pie chart slices, grid rows, and so on): Group Directory Mailbox - On Exchange or Exchange Online Servers, owners can only be assigned at the mailbox level within the mailbox store. For example, an owner cannot be assigned to a specific calendar. When an owner is defined for a file system entity, the entity becomes the base folder. A base folder cannot have a parent folder or subdirectories that are themselves base or managed folders. Custodians are mainly responsible for the IT aspects of resource and domain management. They may not act concurrently as owners over the objects residing in their assigned entities. Therefore, access to the DatAdvantage UI by custodians and owners may be limited to their managed objects only, allowing full segregation of data for security purposes. In addition, custodians are not synchronized with DataPrivilege. Groups can be defined as resource custodians to grant all members in the group custodian privileges on the file server. If a member in the group is a folder owner on the resource, the member can also be defined as a custodian. In this case, the member is limited to custodian privileges only on the file server. It is important to note that a custodian cannot be set on a resource or domain in which he already owns a folder or group, and vice versa - a custodian cannot become an owner on a folder residing on one of the resources under his custodianship. A group - and not just a user - can also have ownership of both domains and file servers. Assigning ownership to a group reduces the logistics of managing ownership changes. Defining a group to ownership grants all users directly in the group custodian privileges on the file server. The users directly in the group can see the file servers/domain in the Work area and Reports according to resource custodian limitations. 23

33 Chapter 2 BASIC CONCEPTS Users that are folder owners to a specific resource can also be members of the custodian group they will be treated as resource custodians and not folder owners in regards to ownership limitations. Note the following: Both security and distribution groups can be defined as group custodians. Abstract, global access and virtual groups cannot be defined as owners. Custodians and Owners vs. Application Roles While custodians and owners are limited in the objects they can view, application roles define the user's capabilities on the viewable objects. This means that the role does not affect the custodian's or owner's visibility, and the custodian or owner does not set any limitations or have any to perform the allowed operations in the UI. Keep the following in mind: In order to access the UI, a user must be defined in an application role. This implies that even if this user is defined as an owner or custodian, he will not be able to operate the UI if 24

34 Chapter 2 BASIC CONCEPTS he is not defined in an allowed role. However, owners who have no application role are still synchronized to DataPrivilege and they can receive data-driven reports. A user that is not listed as owner or custodian has no visibility limitations in DatAdvantage. These users see all objects, regardless of their role. For example, an enterprise manager who is an owner sees less than a simple user who is not an owner. Enterprise Manager Owner Custodian Non-Owner/ Custodian Editing, commit, reporting and configuration for owned resources and domains and their nested objects Limited visibility Editing, commit and reporting for owned resources and domains and their nested objects Limited visibility Reporting for configuration, owned resources and domains and their nested objects Limited visibility Editing, commit, reporting and configuration for the managed objects only Limited visibility Power User Editing, commit and reporting for managed objects only Limited visibility System Admin Reporting for only managed objects and configuration Limited visibility User Limited visibility Limited visibility Editing, commit, reporting and configuration for all objects Full visibility Editing, commit and reporting for all objects Full visibility Reporting for all objects and configuration Full visibility Full visibility UI Visibility Limitations for Owners and Custodians By default, owners and custodians are limited in their ability to view objects in the UI as follows: Directory and User & Groups panes: An owner or custodian can only change entities (edit, commit) and perform UI tasks (doubleclick, jump-to) on the objects he owns. An owner or custodian can only view the Classification Results window for the objects he owns. 25

35 Chapter 2 BASIC CONCEPTS However, other non-managed objects may be visible in some situations, in view-only mode. For example, an owner can see nested groups under one of his managed groups. If the owner manages folders, he can see all users and groups related to his folders. If the owner manages groups, he can see all the folders related to his groups. Resource custodian Directory Pane Users and Groups Pane Full visibility of all nested folders Full control (editing, commit, double-click, jump-to) on all nested folders Full visibility of all objects. Full visibility of all nested folders Full control (editing, commit, double-click, jump-to) on all nested folders Full visibility of all objects. Folder owner Domain custodian Full visibility of all objects Double-click to view permissions on owned resources. Double-click to view permissions on owned folders. Group owner Full visibility of all objects Full visibility of all nested groups and users Full control (editing, commit, double-click, jump-to) on all nested objects Full visibility of all nested groups and users Full control (editing, commit, double-click, jump-to) only on the owned group. Double-click unowned users or groups to view permissions on owned folders. Review Area and Errors pane The Review Area is not populated automatically for owners and custodians. The Errors pane is filtered to present only errors on or by managed objects. Selection drop-down lists (resources and domains) and pickers (users/groups or folders) The selectors show only the relevant results for the owner or custodian. If the user owns only one folder on one resource, only this resource is visible in the resource selector. The same is true for domains. 26

36 Chapter 2 BASIC CONCEPTS Pickers are not limited by ownership. This means an owner can add members and permissions to his managed objects from any of the available views. Statistics View Statistics are not populated automatically for owners and custodians. In the Statistics view, graphs are only loaded if the user double-clicks one of his owned objects. Owners cannot right-click in the statistics graphs. This means owners cannot jump to other views or manage ownership options from within the displayed graphs, but it does allow drilldown within the graph itself (for sub-folders, or more granular pie-chart slices). Log View The log automatically implements the data-driven mechanism, which limits the viewable objects according to the users' management status. The data-driven mechanism limits log output even if the user sets filters that encompass a larger area than he is allowed to view. Custodians, Owners and Reports For both custodians and owners, the reports they may access in the UI are limited by the datadriven mechanism. This means owners and custodians cannot create subscriptions that are not data-driven. Multiple Owners Some users are set as owners of more than one type of object. For example: A user is both a folder owner and group owner A user is both a resource custodian and a group owner A user is both a resource custodian and a domain custodian A user is both a folder owner and a domain custodian 27

37 Chapter 2 BASIC CONCEPTS For these users, ownership limitations are treated as Or conditions. This means that in any of the cases above, the user has full visibility for all the objects in the system, but he is limited in the actions permitted to him. Folder owner and group owner Directory Pane Users & Groups Pane Full visibility for all folders on all resources Control (editing, commit, double-click, jump-to) only on owned folder and all nested folders Full visibility for all folders on all resources Control (editing, commit, double-click, jump-to) only on owned resource and all nested folders Full visibility to all objects Control (editing, commit, double-click, jump-to) only on owned group Full visibility on all folders on all resources Control (editing, commit, double-click, jump-to) only on owned resource and all nested folders Full visibility on all objects Control (editing, commit, double-click, jump-to) only on groups and users from the owned domain Full visibility on all folders on all resources Control (editing, commit, double-click, jump-to) only on owned folder and all nested folders Full visibility to all objects Control (editing, commit, double-click, jump-to) only on groups and users from the owned domain Resource custodian and group owner Resource custodian and domain custodian Folder owner and domain custodian Full visibility for all objects Control (editing, commit, double-click, jump-to) only on owned group Ownership Inheritance The following table summarizes inheritance with regard to ownership and custodianship: Inheritance Description Resource custodian Yes All sub-folders are viewable and manageable. Folder owner Yes All sub-folders are viewable and manageable. 28

38 Chapter 2 BASIC CONCEPTS Inheritance Description Domain custodian Yes All groups and users in the domain are viewable and manageable, Group owner No All users in the groups, as well as nested groups are viewable. Only this group is manageable. Directory Service Account Management Directory service account management enables system administrators working with DatAdvantage to perform basic IT routines, such as user creation, unlocking users, resetting passwords and disabling users, through DatAdvantage without having to use Active Directory or an external tool. The following major directory service account management functions are available: User and account management - This includes the following administrative tasks: Creating an entity Deleting an entity Resetting an entity password Unlocking an entity Enabling and disabling an entity Moving an entity Copying an entity Editing an entity Resetting user passwords Unlocking users Enabling or disabling users User and group filtering - This includes filtering accounts that require attention, such as locked users, expired passwords, etc. Capturing events - Capture user administration events such as locking and unlocking users; resetting passwords; and enabling or disabling users. Viewing and sorting directory service objects and properties - DatAdvantage provides convenient viewing and sorting of Active Directory properties within user and group panes. These activities cannot be performed on unmonitored, built-in, and abstract accounts. Note: Account management activities are not supported for SharePoint Online, Exchange Online and OneDrive. 29

39 Chapter 2 BASIC CONCEPTS Share Visibility in DatAdvantage DatAdvantage provides full visibility of effective permissions on the file system (CIFS), based on both NTFS and share permissions. Such visibility is based on a logical folder view, in which folders are presented from the perspective of the shares instead of the physical structure of the real folder tree. When a resource is expanded, its shares are displayed as the first-level folders instead of its volumes. For non-cifs resources (such as SharePoint, Unix and Exchange), the folder structure is displayed as usual in the logical view. This means that even if the view state is switched to Logical, the real folder tree is presented, just as it is in the physical view. For mixed-mode resources (which include both CIFS and non-cifs folders), the tree structure presents all shares as well as the non-cifs mount points at the first level. Synchronization of Ownership with DataPrivilege Ownership of DataPrivilege-supported folders and groups is synchronized between DatAdvantage and DataPrivilege automatically, on an ongoing basis. If an owner is added to an entity in DatAdvantage, a shared or DFS path referencing the entity is added to DataPrivilege with the same owner, and vice versa. (DataPrivilege does not support custodians.) The following conditions apply: The file server or domain in which the entity resides is set to include DataPrivilege in the Management Console. The folder resides under a CIFS share or is a SharePoint entity (site collection, site or SharePoint folder). For folders - The folder is defined as a base folder in DataPrivilege (conversely, only folders defined as managed in DatAdvantage can be synchronized as base folders in DataPrivilege). 30

40 Chapter 2 BASIC CONCEPTS Accessibility for Color Blind Users DatAdvantage includes a mode of operation for people who suffer from the Deuteranomaly form of color blindness. This operating mode enables users to distinguish between red, green, yellow, and gray objects that are displayed in the user interface. The following improvements in color blind accessibility are available: In the Directories pane, inaccessible objects are indicated by a yellow folder icon and the text of accessible objects is displayed in bold gray. In the Directories pane, accessible objects are indicated by a yellow folder icon inside a green square. In the Users and Groups Pane, the icons of disabled users and computer are lightened to distinguish them from enabled users and groups. For instructions on activating this feature, see Setting User Interface Display Options. 31

41 3 WORKFLOWS This section describes recommended workflows. For complete instructions on carrying out the activities described in the workflows, see the relevant sections. Reviewing and Applying Analysis Recommendations DatAdvantage enables you to modify the organization's user and group structure and permissions, to remove unnecessary permissions and prevent access to corporate content by users who do not need it. By applying the described workflows on a daily basis for minutes, you can eliminate risk and simplify the domain structure, while maintaining user productivity. Reviewing Known Data By Folder Start the review process by focusing on areas of the file server with which you are familiar, especially more sensitive areas. This might include Finance, Legal, Human Resources, Marketing, Sales, and so on. In the Work Area, select a directory or file with known data. In the Directories pane, double-click the relevant directory or file to view the users and groups that have access permissions for it. Arrange the Recommended Users and Groups list by status to view recommended changes at the top of the list. 4. In the Recommended Users and Groups list, double-click the relevant groups or users to view the changes recommended across the file server. The explanation next to the directory or file indicates the type of change - removing the group from the entity's Access Control List (ACL), removing a user from the group, and so on. 5. Use the flags to categorize the users and groups into the following sets: Reviewed, Changed, Requires Further Review, and Do Not Change. Keep in mind that DatAdvantage does not provide recommendations for the Everyone and Domain Users groups. There are also several groups, such as Domain Admin, whose users normally do not use all the permissions provided by the group; as a result, recommendations will be made to remove them from that group. It is also important to remember that DatAdvantage IDU Analytics recommendations are based on access. If a directory or file was not accessed at all, the analysis will recommend that all permissions be removed from it. Reviewing Known Groups You might want to start the process by identifying groups in your Active Directory structure with which you are familiar, and review the directory and file permissions for these groups. Prior to reviewing specific groups, it is highly recommended to review the predefined Windows Everyone and Domain Users groups. These groups are often granted extensive permissions; since 32

42 Chapter 3 WORKFLOWS every domain user belongs to these groups by default, you may find that certain areas of the file server are accessible to all users, with no controls. If you do find that either of these groups is granted permissions, you should probably start the change process by modifying the permissions to a more specific group (except for areas that are meant to be publicly accessible). The group review procedure is similar to that of directories and files: In the Existing Users pane (hidden by default), double-click the relevant group to view the current permissions for the group. In the Recommended Users pane, double-click the group to view recommendations for it on the selected resource. If you are monitoring several resources, repeat the process for the other resources after you have completed it for the current resource. The explanation next to the directory or file indicates the type of change - removing the group from the entity's ACL, removing a user from the group, the group from which the permissions were inherited, and so on. Sort the group list by status to view specific users with recommendations. 4. Double-click the groups or users to view the recommended changes across the file server. 5. Use the flags to categorize the users and groups into the following: Reviewed, Changed, Requires Further Review, and Do Not Change. Reviewing Similar Data You can use the groups you identified in the previous steps to discover additional changes that may be applied to the Active Directory. For each group: Identify all the directories and files the group members can access in addition to the ones you previously reviewed. Use these directories and files for further review. For group members with recommendations: Identify other groups of which these users are members and see if there are any recommendations to modify these other groups (for example, remove the user from the group or change directory or file permissions for that group as well). Validating and Applying Changes Once the analysis is completed, the Work Area displays the recommended changes. Note: You can also use the IDU Analytics and Editing reports to review recommended changes. In addition to the recommended changes, you can provide manual input by editing group membership and permissions on directories and files. In order to apply the recommendations and manual edits to the production environment, you must perform the commit process. Until you do so, the recommendation and manual edits remain in the virtual environment. 33

43 Chapter 3 WORKFLOWS After completing the review, there are several ways to validate the changes you have made in DatAdvantage before they are applied to your production environment. Begin by reviewing the errors listed in the Review Area to identify changes that may cause access denials. This review validates the changes based on past usage patterns. Keep in mind that errors are calculated in the background in real time, so the administrator can continue working. Note: It still might take some time to complete the calculations (up to few minutes). Therefore, the effect of a change may not be evident for several minutes. For changes that may impact sensitive groups, directories or files, you can delay applying the changes to the production environment for 1-2 weeks (this is especially true during the first few months after deployment, when IDU Analytics is still adapting to the users' behavior patterns). This enables DatAdvantage to collect additional events and make more precise calculations of errors. Remember - a user may not access a particular directory or file for a long time; the user may be ill or on vacation, or the data may be needed on only an occasional basis (such as payroll data or quarterly financial data). This results in a recommendation to remove the user; however, the recommendation may change when more data is collected. In rare cases, additional validation can be obtained by discussing the changes with the users themselves or with the group managers. Explain the changes you are about to make and the reasoning behind them, and verify that there is no business reason to contradict the behavior pattern established by DatAdvantage. Note: When you apply the changes, be sure you are aware of reporting relationships, and be careful of making changes to group managers and executives. A manager may require permissions to data he or she does not access on a regular basis (and it was therefore recommended to deny the manager access to the data), but the manager's reports do access it regularly. Identifying Unusual Behavior A different workflow scenario may be used for file servers, to identify unusual behavior and understand the cause. Such behavior is normally the result of legitimate usage (such as an application accessing a large amount of data, a user backing up information to the file server, etc.). You may still want to be aware of this usage for planning purposes, and perhaps to make changes to applications accessing the file server. In rare cases, the anomaly in usage can be attributed to illegitimate behavior, such as a user hoarding data prior to leaving your organization. Use the following workflow to review usage patterns and identify anomalies: Begin by using the Alerts view to examine unusual user utilization. Review the Activity History chart for the file server over a period of at least four weeks. Try to identify any usage patterns (weekdays vs. weekends, middle vs. end of the month, and so on). 34

44 Chapter 3 WORKFLOWS If you identify days that do not fit the pattern, focus on these days. Use the file server's Directory and User Activity charts to see if a single user is responsible for the activity, and whether it is focused on a specific area of the file server. 4. Even if no unusual activity is detected in the Activity History chart, review the other charts to determine whether a user, directory or file is generating a high level of activity. 5. After you have determined the source, use the User and Directory Statistics charts to drill down and better understand the nature of the abnormal behavior. For example, check the user's activity to see whether there are usage patterns that may explain the behavior, check the user's activity relative to other group members, and so on). 6. If necessary, use the logs to drill down further and review the actual events, to determine the exact nature of the activity. For example, a user creating a large number of files is probably backing up data to the file server, whereas a user opening a large number of files across many directories may be gathering information for some reason. Using DatAdvantage to Move from Share to NTFS Permissions Microsoft recommends using real NTFS permissions and not share permissions on the file system. However, in the past, many businesses implemented share permissions, even though they are much less secure than file system NTFS permissions. With Varonis DatAdvantage, the organization can easily view share permissions as such and edit them as NTFS permissions. DatAdvantage has a powerful engine that sandboxes permissions changes before implementing them to the real environment. This engine can be used for identifying abnormalities during the transition from share permissions to NTFS permissions. The work flow is quite simple: Identify the shares. Shares have a unique icon in the DatAdvantage Work Area, so the administrator can quickly identify them. In addition, dedicated DatAdvantage reports (4h and 4j) print out the names of all existing shares and their permissions. Edit the directory permissions (NTFS) on the shares using the built-in DatAdvantage editor. DatAdvantage mimics the Microsoft permissions editing dialog box. However, the permissions defined here are not implemented directly in the file system. Instead, they are used to simulate a fictive environment (the sandbox). Check permissions against real access (sandboxing). Here the true power of DatAdvantage can be leveraged. After editing is complete, the system indicates the need for synchronization. Synchronization calculates real audited access against the new permissions and alerts, in places where the new permissions are blocking access. These errors can be viewed in the Review Area or in the Errors pane in the Work Area (a report is also available). 4. Fine-tune and commit. After the sandbox stage is complete, permissions can be tweaked as necessary to repair issues (errors) that may arise. Finally, the administrator can commit the changes to the real environment at a granularity of the selected (edited) folders. 35

45 Chapter 3 WORKFLOWS Reviewing Activities DatAdvantage makes it easy to discover usage patterns across the enterprise, without resorting to the cumbersome work of digging through activity logs. Instead, use the DatAdvantage Statistics view to identify trends in usage and access. If you require more information at that point, the Statistics view provides simple drill-down access to the precise location you need in the logs. Using DatAdvantage to Understand Security Changes File system events, specifically Set Security events, provide quite a bit of information about themselves: When the change occurred Who made the change Which object (i.e., which folder) was affected However, there is no information about what actually happened. There is no way to tell just by examining the event itself whether permissions were added or removed, or the file was opened, or something else happened. DatAdvantage uses the FileWalk job to examine the file system at predefined intervals and identify events that occurred on it. Each time the FileWalk job runs, it captures the file system's permission structure and compares the results to the previous capture. The differences between the two captures are stored as the history of differences and can be viewed in the Logs view. This comparison provides information about: What actually happened When the change occurred (i.e., between the two job runs) Which object was affected However, it does not know who made the change. Problem The events themselves and the history of differences provide several pieces of the puzzle, but neither provides the entire picture. How, then, can you understand exactly what happened? Solution In either the Log View or the Report View (report 1a), you can view both audit events and the history of differences. Use the two sets of information together to establish a full understanding of the event. 36

Chapter 3 WORKFLOWS Example In the figure above, notice rows 2 and 3, which are marked in red. Row 2 describes an event. You can see the change was made at 5:23 by a user named DPplatinum-admin.

46 Chapter 3 WORKFLOWS Example In the figure above, notice rows 2 and 3, which are marked in red. Row 2 describes an event. You can see the change was made at 5:23 by a user named DPplatinum-admin. However, since the event was pulled from the operating system, it does not include any sort of description. On the other hand, row 3 is drawn from the history of differences. Notice the following: The Time column indicates the first time the permissions in question have appeared (or the last time, if the event is the removal of permissions). We do not know exactly who made the change - the Operation By column merely says FileWalk. There is a full description of the change - Read permissions have been added to the directory. The problem would be completely solved if the two sets of information could be correlated. Unfortunately, it is impossible to do so. While correlation is not difficult for a single change, consider what might happen if two users made changes to the same folder. It is not possible to associate one of the changes with one particular user. If there are three or more users making changes that override other changes, the problem increases substantially. Moreover, if a change was made and then rolled back between two runs of the FileWalk job, the history of differences would not recognize a change at all. 37

47 4 GETTING STARTED Starting DatAdvantage To start DatAdvantage: From the default Windows Start menu, select Programs > Varonis > DatAdvantage; -OR- On the desktop, double-click the DatAdvantage icon. The DatAdvantage splash screen is displayed. DatAdvantage displays the Work Area. Note: To verify your version of DatAdvantage, select Help > About. DatAdvantage's Graphical User Interface The DatAdvantage user interface comprises several elements: The menu bar at the top of the screen View selection icons Several entity panes on the left, in an accordion-style panel Existing Users and Groups list Error list In some views, these panes are collapsible and are hidden by default. 38

48 Chapter 4 GETTING STARTED A contextual display, based on the current active entity Recommended Users and Groups list (collapsible) Current active entity indicator, at the top right of the window A status bar at the bottom of the window, which displays operation status, last pulled event date and time, software messages and errors. This bar also allows some control over error recalculation and "pull on demand." Note: The DatAdvantage UI only supports text at a zoom level of 100%. 39

49 Chapter 4 GETTING STARTED 40

50 Chapter 4 GETTING STARTED DatAdvantage Views DatAdvantage includes several views that enable you to examine and modify the information it collects: The Work Area is DatAdvantage's main working environment. It provides full visibility of Active Directory, the directory structure and permissions in the organization. This view reflects the organizational changes recommended by DatAdvantage IDU Analytics, and enables administrators to edit users, groups and permissions through smart, user-friendly editors. The Work Area is divided into the following panes: Directories - Displayed in the center pane. Use the Directories pane to view the rights to directories and files in either an actual or recommended user or group environment. There are some differences in the information displayed in this pane for Unix and Windows installations. Recommended Users & Groups - Represented by the pane on the right side of the window. The Recommended Users & Groups list displays DatAdvantage's recommendations for group membership and directory or file access rights. There are differences in the options available in this pane for Unix and Windows installations. For Unix, three different permissions are presented - those of the owner, those of its group, and those of all the rest. Existing Users & Groups - Represented by a pane on the left side of the window (the pane is hidden by default). This pane reflects the actual entities in the environment. There are differences in the options available in this pane for Unix and Windows installations. Together, these panes provide an integrated view of current user and group rights to files and directories. In addition, they display DatAdvantage suggestions and manual changes made by the administrator for file rights and group membership. The Review Area enables administrators to analyze the virtual environment created by DatAdvantage IDU Analytics, along with the administrator's changes, prior to committing these changes to the real environment. The Statistics view provides detailed visualizations and activity graphs for user-defined timeframes, file servers, directories, users and user groups. The Logs view enables you to browse and search the event logs from all the monitored resources for a specific day, down to the level of a single event, to provide full coverage of the system. The Reports view enables you to define reports to be sent periodically by . You can also view reports online, and store snapshots of important reports. The Alerts view notifies you if a user's behavior is unusual. When DatAdvantage analyzes usage patterns for the past 30 days, it generates alerts for users whose patterns do not suit the norm. Print - The Print button enables you to print data from the Statistics and Alerts views. Print Preview - The Print Preview button enables you to view the Statistics or Alerts page you are going to print. 41

51 Chapter 4 GETTING STARTED Menus and Toolbar DatAdvantage includes the following menus: File - Includes the following commands: Exit - Select to exit DatAdvantage. Tabs - Enables you to select a view in which to work. Tools - Enables administrators to perform a number of activities. The options available on this menu change according to the selected view. Menu Options Description Select IDU Server Enables you to manage IDUs. DCF and DW Enables launching the DCF and DW Configuration window, to define classification metadata. (This option is only available if the Data Classification Framework is installed.) Enables launching the DCF and DW Monitor, to monitor the status of the DCF and DatAnswers services, as well as the status of the classification scan. Dictionaries Enables defining dictionaries of terms for use in various rules. Follow up Enables you to configure follow-up indicators as needed. (This option is not available if DatAnswers is installed without a valid DatAdvantage license.) Upload Follow Up Indicators Enables uploading a CSV file containing all the data required to define flags and tags in a bulk operation. Manage Ownership Enables you to manage ownership of DatAdvantage entities. (This option is not available if DatAnswers is installed without a valid DatAdvantage license.) Management Console Enables launching the Management Console directly from the DatAdvantage UI. Archive Enables you to archive events and statistics (This option is not available if DatAnswers is installed without a valid DatAdvantage license.) 42

52 Chapter 4 GETTING STARTED Menu Options Description Change Management (Commit) Enables you to manage changes and commit processes. DatAlert Enables you to define alerts on highly sensitive events. The alerts are generated and sent in real-time (or nearly so). (This option is not available if DatAnswers is installed without a valid DatAdvantage license.) Enables launching the DatAlert Web Interface. Automation Engine Enables using the Automation Engine utilities, a suite of tools that provide the means to remediate security issues in the organization's file system: Broken Inheritance Repair Utility Global Access Groups Utility Data Transport Engine Enables you to define rules to transport data securely from one location to another. (This option is not available if DatAnswers is installed without a valid DatAdvantage license.) DatAdvantage Operational Log Enables jumping directly to report 8.b.01, the DatAdvantage Operational Log. (This option is not available if DatAnswers is installed without a valid DatAdvantage license.) Options Enables you to define various display options. (This option is not available if DatAnswers is installed without a valid DatAdvantage license.) Reset Stored Credentials Enables you to delete the credentials stored for this session during commit or DCF analysis. (This option is not available if DatAnswers is installed without a valid DatAdvantage license.) Help - Provides access to the following: Support Assistant - When you need to contact Varonis Support, select to start a utility that gathers information about your Varonis products and sends it to Varonis Support for analysis. Contents and Index - Select to open DatAdvantage's online help. 43

53 Chapter 4 GETTING STARTED Legend - Select to display a legend of DatAdvantage's icons and decorators. About - Select to view version, build and copyright information about DatAdvantage. The License tab describes the user roles that have been purchased. The tool bar includes the following elements: Buttons to toggle each of the views. Current Active Entity drop-down list - Located by default at the top right of the window, this drop-down indicates the entity you are currently working with and is a useful reference when you need to switch frequently between views. DatAdvantage Status Bar The status bar is displayed at the bottom of the screen. It provides information regarding the status of the current operation, software messages and errors. When you select a resource, reload a list, or perform any other operation (such as viewing statistics or logs), the left side of the status bar displays the progress of the operation. When the operation is complete, the displayed status is Finished. If software messages (such as warnings or errors) have been generated, the status bar displays the number of messages that are available for viewing. Click New Msg once to read the messages. Displaying the DatAdvantage Legend DatAdvantage makes extensive use of icons and decorators to provide information about users, groups, directories, files, and other entities in the system. To display the legend: Select Help > Legend. The legend is displayed. Select the relevant tab: Objects - Lists the icons and decorators that describe directory objects. 44

Accounts - Lists the icons and decorators that describe various types of

54 Chapter 4 GETTING STARTED Status - Lists the icons and decorators that describe the status of entities in the system. Accounts - Lists the icons and decorators that describe various types of accounts. This includes decorators for accounts that were not active in the system at all during the analysis period. 45

55 Chapter 4 GETTING STARTED Follow Up - Lists the default flags and tags that are configured in the system. Directory Services - Lists the icons and decorators that describe directory service objects. 46

56 Chapter 4 GETTING STARTED Exchange - Lists icons used by Microsoft Exchange and Microsoft Exchange Online. Keyboard Shortcuts The following sections describe the keyboard shortcuts that are available in the DatAdvantage user interface. Standard Windows Navigation In addition to the keyboard shortcuts specified below, standard Windows navigation is available: Tab - Move from one item to another on the screen. Space bar - Select item, open item Enter - Select item, open item Shift+Up arrow, Shift+Down arrow - Select several adjacent items in a multi-selection list Esc - Close item 47

57 Chapter 4 GETTING STARTED File Menu Action Keyboard Shortcut Open the File menu Alt+F Exit DatAdvantage Alt+F+E Tabs Menu Action Keyboard Shortcut Open the Tabs menu Alt+B Go to the Work Area Alt+B+W Go to the Review Area Alt+B+V Go to the Statistics view Alt+B+S Go to the Log view Alt+B+L Go to the Reports view Alt+B+R Go to the Alerts view Alt+B+A Tools Menu Action Keyboard Shortcut Open the Tools menu Alt+T Select the IDU Server option Alt+T+S Select the DCF and DW option Alt+T+W Select the DCF and DW > Configuration option Alt+T+W+C Select the DCF and DW > DCF and DW Monitor option Alt+T+W+M 48

58 Chapter 4 GETTING STARTED Action Keyboard Shortcut Select the Follow Up option Alt+T+F Select the Upload Follow Up Indicators option Alt+T+U Select the Manage Ownership option Alt+T+M Select the Management Console option Alt+T+C Select the Archive option Alt+T+A Select the Archive > Archive Events option Alt+T+A+E Select the Archive > Archive Statistics option Alt+T+A+S Select the DatAlert option Alt+T+D Select the Data Transport Engine option Alt+T+T Select the DatAdvantage Operational Log option Alt+T+P Select the Options option Alt+T+O Select the Commit History option Alt+T+H Select the Reset Stored Credentials option Alt+T+R Select the Errors option Alt+T+E Select the Errors > Export to Excel option Alt+T+E+E Select the Discard Admin Changes option Alt+T+G Select the Discard Admin Changes > Only Active Resources option Alt+T+G+O 49

59 Chapter 4 GETTING STARTED Action Keyboard Shortcut Select the Discard Admin Changes > All Resources option Alt+T+G+A Select the Log option Alt+T+L Select the Log > Synchronize Latest Events > Only Active Resources option Alt+T+L+O Select the Log > Synchronize Latest Events > All Resources option Alt+T+L+A Help Menu Action Keyboard Shortcut Open the Help menu Alt+H Select the Help > Support Assistant option Alt+H+S Select the Help > Contents and Index option Alt+H+C Select the Help > Legend option Alt+H+L Select the Help > About option Alt+H+A Work Area Panes Action Keyboard Shortcut Open and focus on or close the Existing Users and Groups pane Ctrl+1 Open and focus on or close the Errors pane Ctrl+1 Open or close the left pane (Existing Users and Groups) Ctrl+L Focus on the Directories pane Ctrl+M 50

60 Chapter 4 GETTING STARTED Action Keyboard Shortcut Open and focus on or close the right pane (Recommended Users and Groups) Ctrl+R Reload the pane that is in focus F5 Log View Panes Action Keyboard Shortcut Open and focus on or close the Users and Groups pane Ctrl+1 (toggles between the Users and Groups pane and the Directories pane) Open and focus on or close the Directories pane Ctrl+1 (toggles between the Users and Groups pane and the Directories pane) Open or close the left pane Ctrl+L Open and focus on the Simple Search pane Ctrl+U Open and focus on the Advanced Search pane Ctrl+E Open and focus on the Log Results pane Ctrl+D Reload the pane that is in focus F5 Reports View Panes Action Keyboard Shortcut Open and focus on or close the My Subscriptions pane Ctrl+1 (toggles between the My Subscriptions pane and the Reports List pane) Open and focus on or close the Reports List pane Ctrl+1 (toggles between the My Subscriptions pane and the Reports List pane) Open or close the left pane Ctrl+L 51

61 Chapter 4 GETTING STARTED Action Keyboard Shortcut Open and focus on the Filters tab Ctrl+2 Open and focus on the Columns tab Ctrl+3 Open and focus on the Display tab Ctrl+4 Open and focus on the Help View Ctrl+H Open and focus on the Table View Ctrl+T Reload the pane that is in focus F5 Closing DatAdvantage To close DatAdvantage: Save your work. Select File > Exit. DatAdvantage is closed. 52

5 COMMON ACTIVITIES Several elements are shared by most of the DatAdvantage views. The following subsections describe these elements and provide general instructions for their use.

62 5 COMMON ACTIVITIES Several elements are shared by most of the DatAdvantage views. The following subsections describe these elements and provide general instructions for their use. For more specific instructions for using these elements, see the relevant section in this guide. Setting User Interface Display Options To set UI display options: Select Tools > Options. Select the following options as required: Auto-load User and Groups pane. Disabling this option speeds up UI performance for large user repositories. - Select or clear this option as required. Mark inconsistent ACLs - Mark entities that have broken permission inheritance. Enable display of legend-based ToolTips to describe icons and decorators on entities throughout DatAdvantage - Select or clear this option as required. Improve accessibility for color-blind users (requires restart of DatAdvantage) - Select or clear this option as required. Click OK. Switching Views There are several ways to switch views in DatAdvantage: From the Tabs menu, select the required view. 53

relevant entity). This method enables you to switch to another view while maintaining the context of the entity with which you were working.

63 Chapter 5 COMMON ACTIVITIES On the tool bar, click the relevant view selection tab to move to the required view. When you are working with an entity whose information appears in more than one view (such as a user or directory), select the Jump To option from the shortcut menu (accessed by right-clicking the relevant entity). This method enables you to switch to another view while maintaining the context of the entity with which you were working. In the Statistics view, you can access the same shortcut menu by right-clicking a pie slice or a bar in the relevant graph. If you jump to the Logs view, the log is automatically loaded with the relevant filters, so that it reflects the events that comprise the selected graph portion. Selecting Resources Selecting the resource (that is, the file server or directory service), is the first step in managing the user and directory environment in the rest of the Work Area. The Directories pane and permissions for users and groups are based on the selection of the resource. The default resource is the first one added to the system during installation of DatAdvantage. All the network resources monitored by DatAdvantage are displayed in the Resources drop-down list in the Directories pane. Resources located on all supported platforms can be displayed. Exchange uses the concept of logical storage, called the storage group. A storage group may comprise many Exchange Servers within a single domain. In the Directories pane, storage groups are represented as resources. Directory services are represented as containers in which domains reside. They are represented as a flat list, regardless of the trust relationships between them. In the Work Area and the Statistics view, you may select more than one resource. Work Area - Information about all selected resources is displayed in the Directories pane. 54

To select a resource: From the Resources drop-down list, select the required resource, or select All Resources.

64 Chapter 5 COMMON ACTIVITIES Important: It is strongly recommended that only up to ten resources be selected at the same time. More than that will result in seriously decreased performance. Statistics view - Aggregated statistics are displayed for all selected resources. To select a resource: From the Resources drop-down list, select the required resource, or select All Resources. If you selected All, all the resources defined in your environment are listed in the Resources table. Filter and sort the table as follows to quickly locate the relevant file server: In the Look For field, type the first few characters of the file server's name. In the results table, set filters in the first row under the table header as required. 55

Chapter 5 COMMON ACTIVITIES Click the header of any table column to sort the results by that column. After you have located the required file server, select its checkbox. 4.

65 Chapter 5 COMMON ACTIVITIES Click the header of any table column to sort the results by that column. After you have located the required file server, select its checkbox. 4. To remove a resource, clear its checkbox. Showing and Hiding Window Panes To provide maximum flexibility, DatAdvantage window panes can be shown or hidden as necessary. To show or hide a window pane: Click the pane's show/hide bar, which looks like this: The pane is shown or hidden as relevant. Using the Current Active Entity List The Current Active Entity drop-down list is located at the top right of the window. Your selection from this list sets the entity throughout DatAdvantage. Use the Current Active Entity list according to the following guidelines: Each time you select an entity in one of the main panes (Resources, Directories or Users & Groups), it is added to the Current Active Entity list. You can also select an entity from the list itself to make it the current active entity. Click the Move Forward and Move Back buttons to navigate the list as required. The list can contain up to 50 entities at a time. Entities in the list have the following naming convention: <Entity icon> <View name>:<entity name> If you select an entity that is located in a different view, the view is switched, and view preferences (such as timeframe and filters) are refreshed accordingly. 56

66 Chapter 5 COMMON ACTIVITIES Using the Directory Services Search Dialog Box The Directory Services Search dialog box is used throughout DatAdvantage to specify the users and groups that are required for various activities. To use the Directory Services Search dialog box: Open the dialog box from the relevant view, pane or entity. From the OUs drop-down list, select the organizational unit in which the required user is located. The OU's users are displayed. 4. Select the following options as relevant: Include computer accounts - Select to include computer accounts in the search results History - Select to include Enter the search criteria: Search field - Enter the name (or the first few letters) of the entity you want to find. In field - From the drop-down list, select an Active Directory property by which to further filter the search. 5. Search field - Type the first few letters of the relevant entity's name. Click Search. 57

Chapter 5 COMMON ACTIVITIES The entities whose properties match the search criteria are displayed in the center pane of the dialog box. 6. From the center pane, select the relevant entity. 7.

67 Chapter 5 COMMON ACTIVITIES The entities whose properties match the search criteria are displayed in the center pane of the dialog box. 6. From the center pane, select the relevant entity. 7. Click Add. The entity is moved to the bottom pane of the dialog box. 8. Repeat to add other users to the group. 9. Click OK. The dialog box is closed, and the users are added to the group. The users are marked with green plus signs ( ) and the group is marked with a yellow pencil ( ). Using the Directory Picker Dialog Box The Directory Picker dialog box is used throughout DatAdvantage to specify the directories that are required for various activities. To use the Directory Picker dialog box: Open the dialog box from the relevant view, pane or entity. Use the Resources drop-down list and the Look For field to search for the required directory. Click Search. 58

Chapter 5 COMMON ACTIVITIES The entities whose properties match the search criteria are displayed in the center pane of the dialog box. 4. From the center pane, select the relevant entity. 5. Click Add.

68 Chapter 5 COMMON ACTIVITIES The entities whose properties match the search criteria are displayed in the center pane of the dialog box. 4. From the center pane, select the relevant entity. 5. Click Add. The entity is moved to the bottom pane of the dialog box. 6. Repeat steps 4 and 5 to select additional entities. 7. Click OK. Navigating Directories and Files There are several ways you can navigate directories and files. You can: Search for specific directories and files View additional property information about directories and files, such as types of permissions or other indicators "Prune" the search results to pinpoint the directories or files you need Set the columns in the contextual display Use filters to pinpoint the directories or files you need Searching for Directories and Files To search for directories and files: In the Directories pane, locate the entity you want to work with. In the Look For field, type a text string you want to search for. There is no need to add asterisk (*) or percent (%) wildcards. Click Search. The directories and files whose names include the string you typed are displayed in the Directories pane. Understanding Logical and Physical Views DatAdvantage provides full visibility of effective permissions on the file system (CIFS), based on both NTFS and share permissions. Such visibility is based on a logical folder view, in which folders are presented from the perspective of the shares instead of the physical structure of the real folder tree. When a resource is expanded, its shares are displayed as the first-level folders instead of its volumes. 59

69 Chapter 5 COMMON ACTIVITIES Note: This has no relevance for directory service probing. Understanding Share Permissions on Folders Example 1 The following illustrates the allocation of permissions on a given folder: Share Permissions Everyone - Read Engineering - Full Control NTFS Permissions QA - Modify IT - Full Control Consider the group nesting: Engineering is the parent of QA. The following views are displayed in the Users & Groups panes: Share Permissions Everyone - Read Engineering - Full Control File System Permissions QA - Modify IT - Full control Effective Permissions QA - Modify IT - Read 60

70 Chapter 5 COMMON ACTIVITIES Example 2 The following illustrates the allocation of permissions on a given folder: Share Permissions QA - Read Engineering - Full Control IT - Read NTFS Permissions Everyone - Modify The following views are displayed in the Users & Groups panes: Share Permissions QA - Read IT - Read Engineering - Full Control File System Permissions Everyone - Modify Effective Permissions QA - Read IT - Read Engineering - Modify Switching to the Logical View For non-cifs resources (such as SharePoint, Unix and Exchange), the folder structure is displayed as usual in the logical view. This means that even if the view state is switched to Logical, the real folder tree is presented, just as it is in the physical view. For mixed-mode resources (which include both CIFS and non-cifs folders), the tree structure presents all shares as well as the non-cifs mount points at the first level. To switch to the logical folder view: In the Directories pane, click the View button. The View menu is displayed. Select Logical. The tree is arranged in the logical view. 61

Chapter 5 COMMON ACTIVITIES Switching to the Physical Folder View To switch to the physical folder view: In the Directories pane, click the View button. The View menu is displayed. Select Physical.

71 Chapter 5 COMMON ACTIVITIES Switching to the Physical Folder View To switch to the physical folder view: In the Directories pane, click the View button. The View menu is displayed. Select Physical. The tree is arranged in the physical view. Focusing on Directories and Files by View State In order to locate search results efficiently, you can set the following view states in the Directories pane: Simple list Pruned tree Arrow tree 62

Note: The list is constrained to a predefined number of values, which can be configured in the GUI configuration files.

72 Chapter 5 COMMON ACTIVITIES To set the view for search results: Search for the required directories or files. On the button bar, click View > Focus. From the submenu, select the relevant view option: List - Presents the search results in a simple list, including the full access path for each record. Note: The list is constrained to a predefined number of values, which can be configured in the GUI configuration files. Pruned Tree - Presents the search results in a partial tree structure. Leaves that do not match the search criteria are disabled. Arrow Tree - Presents the search results in a full tree structure. Arrows are used to indicate the relevant results. 63

73 Chapter 5 COMMON ACTIVITIES Viewing the Tree According to Permission Types To view folders according to permission type: Note: This has no relevance for directory service probing. In the relevant Users and Groups pane, double-click the entity whose permissions you want to review. In the Directories pane, click the View button. The View menu is displayed. Select Permissions, and then select the relevant option from the submenu: File system permissions - Displays the file system permissions for the permitted folders. This option is available in both the physical and the logical views. Share permissions - Displays the share permissions for the permitted folders. This option is only available in the logical view. Effective permissions - Displays the effective file system permissions for the permitted folders, as masked by the share permissions. This option is only available in the logical view. Grouping Exchange Entities An Exchange resource can contain tens of thousands of mailboxes. Since opening such a large number would have a serious impact on performance, DatAdvantage provides the means to group mailboxes in the Directories pane: Alphabetically - A folder is automatically created for every letter or group of letters, and the list of mailboxes is distributed among folders accordingly. If the folders still contain more than the optimal number of mailboxes, an additional layer of alphabetic grouping is nested within each folder. 64

Chapter 5 COMMON ACTIVITIES Note: The entire grouping mechanism functions according to the predefined configuration of the maximum number of objects allowed in a group.

74 Chapter 5 COMMON ACTIVITIES Note: The entire grouping mechanism functions according to the predefined configuration of the maximum number of objects allowed in a group. Dynamically - If a user or group is selected (double-clicked), mailboxes are automatically arranged in the Directories pane in the following groups: Changed - The mailboxes for which the selected entity's permissions have changed Not Permitted - The mailboxes the selected entity cannot access Permitted - The mailboxes for which the selected entity has access rights Grouping Exchange Entities Alphabetically To group Exchange entities alphabetically: In the Directories pane, click the View button. The View menu is displayed. Select Exchange Grouping > Alphabetical Grouping. A folder is automatically created for every letter or group of letters, and the list of mailboxes is distributed among folders accordingly. If the folders still contain more than the optimal number of mailboxes, an additional layer of alphabetic grouping is nested within each folder. Grouping Exchange Entities Dynamically To group Exchange entities dynamically: In the relevant Users and Groups list, locate the entity whose mailbox you want to work with. Double-click the entity to display the mailboxes to which it is related in the Directories pane. In the Directories pane, click the View button. The View menu is displayed. 4. Select Exchange Grouping > Dynamic Grouping. The mailboxes are automatically arranged in the Directories pane in the following groups: 5. Changed - The mailboxes for which the selected entity's permissions have changed Not Permitted - The mailboxes the selected entity cannot access Permitted - The mailboxes for which the selected entity has access rights If necessary, select Permissions > Exchange Grouping > Alphabetic Grouping to add an additional layer of alphabetic grouping to the dynamic grouping. 65

75 Chapter 5 COMMON ACTIVITIES Showing and Hiding Management Indicators To show or hide icons ( ) indicating folders that are managed in the Metadata Framework: In the Directories pane, click the View button. The View menu is displayed. Select Indicators > Managed Folders. If the management indicators are hidden, this action displays them. If they are displayed, this action hides them. Showing and Hiding Deduplication Indicators To show or hide icons ( ) indicating folders on which deduplication is enabled: In the Directories pane, click the View button. The View menu is displayed. Select Indicators > Deduplication. If the deduplication indicators are hidden, this action displays them. If they are displayed, this action hides them. Viewing Columns in the Directories Pane The Directories pane includes several columns of information about each directory or OU. The following columns are always displayed: Directory - A tree view displaying the selected resources and their objects File System Permissions - The current permissions of the object Share Permissions - The current share permissions of the object Explanations - Explanation of the changes made to the object's permissions Total Hit Count (Inc. Subfolders) - The number of times a DCF rule returns a result on a file. For folders, this represents the total number of hits on the files within the folder for a rule. Size - The directory's logical size, in bytes (not relevant for directory service probing) Classification Results To display other columns in the Directories pane, do one of the following: Select View > Columns; or Right-click the header row of the Directories pane, and select the relevant column name from the context menu. You may select more than one. 66

76 Chapter 5 COMMON ACTIVITIES The selected columns are displayed. The Directories pane provides the following additional information about directories: Physical Size (After Deduplication) - The directory's physical size, in bytes, after deduplication is enabled on the volume (not relevant for directory service probing) Contained Files/Objects - The number of files in the directory or the OU Modified - The last date on which the directory was modified, or the last time at which the OU object was modified Accessed - The last time the directory was accessed (not relevant for directory service probing) Server - The server on which the directory or OU resides Owner - The person responsible for the directory or OU object Flags (All) - Directories that have any sort of flag (global or personal) attached to them Flags (Global) - Directories that have global flags attached to them Flags (Personal) - Directories that have personal flags attached to them Tags - Directories that have tags attached to them Notes - Directories that have notes attached to them Filtering Directories and Files To filter directories and files: In the Directories pane, click the Filters button. The Filters menu is displayed. Select the relevant filter: Classification Rules - From the submenu, select the rule by which to filter directories and files. You can select more than one rule. The files and directories in the Directories pane are filtered to show only files with a hit count greater than zero on the selected rule(s). 67

77 Chapter 5 COMMON ACTIVITIES Note: Only rules that were run on files on which hits were detected are displayed in the submenu. Flags - From the submenu, select the flag by which to filter directories and files (this option is only displayed if flags are defined). Tags - From the submenu, select the tag by which to filter directories and files (this option is only displayed if tags are defined). Notes - From the submenu, select the note by which to filter directories and files (this option is only displayed if notes are defined). Edited Directories - Select to display only directories and files that have been edited in DatAdvantage. Error Directories - Select to display only directories and files that have errors in DatAdvantage. Attributes - From the submenu, select the permission attribute by which to filter directories and files. Options are: Protected Unique Inherited Ownership - From the submenu, select the management attribute by which to filter directories and files. Options are: Managed Unmanaged Data Transport Engine - Select to display only the directories used in data transport rules. Clearing Filters To clear filters and flags in the Directories pane: In the Directories pane, click the Filters button. The Filters menu is displayed. Select Clear All Filters. Navigating User and Group Lists Users groups are organized in two different tree views: Existing Users and Groups - The actual users and groups in the organization, located by default on the left side of the Work Area. (However, this pane is hidden by default. To display it, click the Show/Hide button.) When you select an existing user or group, its actual directory and file permissions are displayed in the Directories pane in the center of the window. Recommended Users and Groups - The users and groups that DatAdvantage recommends, displayed by default on the right side of the Work Area. When you select a recommended user or group, DatAdvantage's recommended directory and file permissions are displayed in the Directories pane in the center of the window. The recommendations overwrite the existing users and groups when they are committed to the database. 68

78 Chapter 5 COMMON ACTIVITIES For convenience, procedures that can be carried out on both lists are only explained once. Reloading User or Group Information To reload user or group information: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. In the list (existing or recommended), click the Reload button. The list is reloaded with the most updated information. Arranging Users and Groups Sorting options vary depending on whether you have selected the actual list of users and groups, or the recommended list. There is a Sort button for each list. To sort the lists of users and groups: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Click the Arrange By button for the list you want to sort (either the actual list of users and groups, or the recommended list). A drop-down list is displayed. From the drop-down list, select the required sort option: Name - Select to arrange the list by the displayed user or group name. This option is available for both lists. Type - Select to arrange the list into users or groups as required. This option is available for both lists. Status - Select to arrange the list according to the status of users and groups; that is, those that have been added, removed, or undergone other changes. This option is only available for the recommended list of users and groups. Address - Select to arrange the list by address (if Exchange or Exchange Online is installed). Has Errors - Select to arrange the list by entities that have errors. This option is only available for the recommended list of users and groups. User Edited - Select to sort the list according to users and groups that have been manually edited. This option is only available for the recommended list of users and groups. The list is sorted. 69

79 Chapter 5 COMMON ACTIVITIES Filtering User and Group Lists To filter the list of users and groups: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Click the Filters button. From the submenu, select the required filter options. You may select as many as necessary; however, the selection of conflicting filters does not return results. Entities - From the submenu, select the type of entity by which to filter the list. Options are: Distribution Groups Security Groups Users Computers Account Management - From the submenu, select an option to filter the list by management activity. Options are: Enabled users with expired passwords Accounts that are enabled but stale Locked-out users Accounts that are disabled and stale Enabled users with password about to expire Enabled users with account about to expire Users with password that never expires Accounts with expiration date Stale accounts Users with expired passwords Flags - From the submenu, select the flag by which to filter users and groups (this option is only displayed if flags are defined). Top-Level Flags Only - Select to filter the list by top-level flags. Tags - From the submenu, select the tag by which to filter users and groups (this option is only displayed if tags are defined). Top-Level Tags Only - Select to filter the list by top-level tags. Notes - From the submenu, select the note by which to filter users and groups (this option is only displayed if notes are defined). Changed Objects - From the submenu, select the type of change by which to filter the list. Options are: IDU Analysis - Filter by changes recommended by IDU Analytics. Edited - Filter by manual changes. Disabled - From the submenu, select an option to filter the list by enabled or disabled objects. Options are: Enabled Disabled 70

80 Chapter 5 COMMON ACTIVITIES Inactive - From the submenu, select an option to filter the list by active or inactive objects. Options are: Active Inactive Children - From the submenu, select an option to filter the list by objects having children or not. Options are: No children Has children Ownership - From the submenu, select an ownership option by which to filter the list. Options are: Unmanaged Managed IDU Analytics Exclusion - From the submenu, select an option to filter the list by objects that are included or excluded from processing by IDU Analytics. Options are: Included Excluded Only Changed Users and Groups - Select to display only users and groups whose permissions have been changed. Clear Filters The list is filtered. Switching between Parent and Child Views When the list of users and groups is arranged by parents, groups appear at the main nodes. Each group's users are displayed at the sub-nodes. 71

Chapter 5 COMMON ACTIVITIES When the list of users and groups is arranged by children, users appear at the main nodes. Each user's groups are displayed at the sub-nodes.

To switch between parent and child views: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right.

81 Chapter 5 COMMON ACTIVITIES When the list of users and groups is arranged by children, users appear at the main nodes. Each user's groups are displayed at the sub-nodes. You can easily switch between parent and child views in both the Existing Users and Groups and the Recommended Users and Groups lists. To switch between parent and child views: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. In the Users and Groups pane, click the View button. The View menu is displayed. Do one of the following: If the entity list is arranged by parents, click the Children button to arrange the list by children If the entity list is arranged by children, click the Parents button to arrange the list by parents. The list is arranged as required. 72

Chapter 5 COMMON ACTIVITIES Viewing Users and Groups According to Permission Types To view users and groups according to permission type: Note: This has no relevance for directory service probing.

82 Chapter 5 COMMON ACTIVITIES Viewing Users and Groups According to Permission Types To view users and groups according to permission type: Note: This has no relevance for directory service probing. Set the Directories pane to the relevant view, either Physical or Logical. In the relevant Users and Groups pane, double-click the entity whose permissions you want to review. In the Users and Groups pane, click the View button. The View menu is displayed. 4. Select Permissions, and then select the relevant option from the submenu: File system permissions - Displays the file system permissions for the permitted folders. This option is available in both the physical and the logical views. Share permissions - Displays the share permissions for the permitted folders. This option is only available in the logical view. Effective permissions - Displays the effective file system permissions for the permitted folders, as masked by the share permissions. This option is only available in the logical view. Selecting Display Name Settings for Users or Groups With DatAdvantage, you can set user and group names to be displayed according to any of the following conventions: Display name (Domain) User name (Domain) UserName@Domain address Customized convention To select display name settings: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Click View > Display Name. 73

Chapter 5 COMMON ACTIVITIES From the submenu, select the required naming convention. 4. To set a customized convention, select Custom. The Display Name Configuration dialog box is displayed. 5. In the Your Format field, type the required naming convention.

Showing or Hiding Managed Group Indicators You can easily show or hide the Managed Group indicator:.

83 Chapter 5 COMMON ACTIVITIES From the submenu, select the required naming convention. 4. To set a customized convention, select Custom. The Display Name Configuration dialog box is displayed. 5. In the Your Format field, type the required naming convention. Be sure to use one of the following patterns: User Name Display Name Domain UserName@Domain results in JohnDoe@MyDomain 6. Click OK. The Users and Groups lists are set to your selection. Showing or Hiding Managed Group Indicators You can easily show or hide the Managed Group indicator:. To toggle the Managed Group indicator: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Click View > Indicators > Managed Groups. The Managed Groups indicators are toggled on or off, as relevant. 74

Chapter 5 COMMON ACTIVITIES Showing or Hiding Inactivity Indicators You can easily show or hide the Inactivity indicator: To toggle the Inactivity indicator: Select the Existing Users and Groups pane

84 Chapter 5 COMMON ACTIVITIES Showing or Hiding Inactivity Indicators You can easily show or hide the Inactivity indicator: To toggle the Inactivity indicator: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Click View > Indicators > Inactive. The Inactivity indicators are toggled on or off, as relevant. Showing or Hiding Excluded from IDU Analytics Indicators You can easily show or hide the Excluded from IDU Analytics indicator: To toggle the Excluded from IDU Analytics indicator: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Click View > Indicators > Excluded from IDU Analytics. The Excluded from IDU Analytics indicators are toggled on or off, as relevant. 75

Chapter 5 COMMON ACTIVITIES Editing the Displayed Columns You can select several Active Directory properties for display as columns in Users and Groups panes.

85 Chapter 5 COMMON ACTIVITIES Editing the Displayed Columns You can select several Active Directory properties for display as columns in Users and Groups panes. To select properties for display as columns: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Click Edit Columns. The Edit Columns dialog box is displayed. Select the required properties from the Available Columns pane on the left, and click the right arrow to move them into the Selected Columns list. 4. Use the Up and Down buttons to arrange the order in which the columns are displayed. 5. Click OK. The selected columns are added to the Users and Groups pane you are working with. Note: You can set different columns for each of the Users and Groups panes. 6. In the Users and Groups pane, drag the column dividers to the preferred width. The columns are saved as you personalized them, including their selection, order and width. The Users and Groups list can be sorted by these columns, through the Arrange by button. 76

Chapter 5 COMMON ACTIVITIES Selecting Organizational Units If you have defined organizational units, you can filter the user list to display only users from a specific unit within your domain.

86 Chapter 5 COMMON ACTIVITIES Selecting Organizational Units If you have defined organizational units, you can filter the user list to display only users from a specific unit within your domain. If no organizational units are defined, or if you are using a Windows NT domain, the list displays the current domain and cannot be filtered. To filter the list of users and groups by organizational unit: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Click the Org. units field. Select the relevant option to filter the list of organizational units by domain or local host: All domains and local hosts - All domains and local hosts are automatically selected. Select specific domain or OU - Double-click the relevant domain or OU, or choose it and click Select. 77

87 Chapter 5 COMMON ACTIVITIES Select specific local host - Double-click the relevant local host, or choose it and click Select. 78

88 Chapter 5 COMMON ACTIVITIES The list is filtered so that only users and groups defined for the selected organizational unit are displayed. Moving Users and Groups to the Top of the List To move a user or group to the top of the list: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Select the required user. Right-click, and from the context menu, select Bring to Top. The user or group is moved to the top of the list. Searching for Users or Groups To search for a particular user or group: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. In the Look For field, type the first few letters of the required user or group. Click Search if the button is visible (if it is not visible, the search is performed automatically). Viewing Azure Active Directory Objects in the Users & Groups Pane You can view Azure Active Directory users and groups in the Existing Users and Groups and Recommended Users and Groups panes. You can also view Azure Active Directory users and groups that were synchronized to on-premises Active Directory. The list of users retrieved from Azure Active Directory are matched with the list of domain forest users. In terms of permissions visibility, synchronized users are represented as domain users in the DatAdvantage UI. Note: If the Azure Active Directory Sync configuration was configured to disable Active Directory synchronization, the Active Directory and Azure Active Directory objects are displayed as two separate entities in the DatAdvantage UI. 79

Chapter 5 COMMON ACTIVITIES To view Azure Active Directory objects in the Users & Groups pane: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the

89 Chapter 5 COMMON ACTIVITIES To view Azure Active Directory objects in the Users & Groups pane: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Click the Org. units field. To view users and groups defined for all domains and local hosts (including cloud users and groups from the Azure domain), select All domains and local hosts. A list of users and groups defined for all domains and local hosts are displayed. Synchronized objects are represented as domain objects in the Users & Groups pane. Cloud users and groups that were created in Azure Active Directory are marked with the cloud icon. Note: When selecting a cloud user or group, its permissions on the online file servers are displayed. Alternatively, when selecting a synchronized object, its permissions on both on-premises and online file servers are displayed. 4. To view only objects from the Azure Active Directory: a. Select Select specific domain or OU and choose Azure Domain. b. Click Select. Azure Active Directory users and groups are displayed and marked with the cloud icon. Synchronized objects are marked as Synced. 80

Chapter 5 COMMON ACTIVITIES Note: You cannot view the permissions of synchronized objects if you have selected to display only users or groups from the Azure domain in the Users & Groups pane.

90 Chapter 5 COMMON ACTIVITIES Note: You cannot view the permissions of synchronized objects if you have selected to display only users or groups from the Azure domain in the Users & Groups pane. In this case, to view the object's permissions, you must first locate the domain user or group. For more information, see Locating Domain Users and Groups. Managing Ownership and Custodianship There are several ways to add owners and custodians to entities: Ownership dialog box - To manage all the objects belonging to a particular owner. Drag-and-drop - To add a particular owner to an entity, or vice versa. Custodians cannot be added by drag-and-drop. About Uploading Owners After initial installation of DatAdvantage, you can easily upload a single comma-separated list (in a CSV file) of all the owners to be assigned in the system. Note: If DataPrivilege is installed and synchronized with DatAdvantage, ensure your list does not place a managed folder above or below an existing managed folder. Line items contradicting this rule will be ignored. 81

91 Chapter 5 COMMON ACTIVITIES Preparing the CSV File for Uploading Owners The CSV file must have the following format: <OwnerName> <ResourceName> <folder/group> <type> <ActionType> <OriginalOwner> Where: The pipe sign ( ) is used as a separator. OwnerName is in the format of Domain\SAM account name, where Domain is written in FQDN format and SAM account name is the user logon name (pre-windows 2000). ResourceName is either the file server name or the domain name, written exactly as they are configured in DatAdvantage (either FQDN or NetBIOS). Wild cards are supported. Folder/group is the physical path of the folder to manage, or the group name in the format of Domain\SAM account name, where Domain is written in FQDN format and SAM account name is the user logon name (pre-windows 2000). For custodianship, this is left empty. Wild cards are supported. Type - One of the following options: Dom Domain R - Resource Gr Group Dir- Folder Wild cards are supported. ActionType is the action that is being performed. The following options are available: Add - Assigns ownership to an object, used when no other option is specified. Del - Removes ownership from one or more objects. Replace - Replaces the current owner with the original owner. The ActionType field is optional. The ActionType field is only required if the Del or Replace options are selected. OriginalOwner is the name of the original owner in the format of Domain\SAM account name, where Domain is written in FQDN format and SAM account name is the user logon name (pre-windows 2000). If the Replace ActionType is selected, the original owner replaces the current owner. The OriginalOwner field is only required if the Replace ActionType is selected. To set David as the owner of the Engineering folder: Varonis.com\david NetApp1 /vol/vol0/engineering Dir To set Richard E. as the custodian of the Varonis.com domain: Varonis.com\Richarde Varonis.com Dom Add To set Janet as the owner of the PM group on the portal: 82

92 Chapter 5 COMMON ACTIVITIES Varonis.com\janetr Portal.varonis.com Portal.varonis.com \PM Gr To replace David (the current owner) with Mary (the new owner) as the owner of all folders owned by David: Varonis.com\mary * * Dir Replace Varonis\david To replace David (the current owner) with Mary (the new owner) as the owner of the Engineering folder: Varonis.com\mary NetApp1 /vol/vol0/engineering Dir Replace Varonis\david To remove David as the owner of the Engineering folder: Varonis.com\david WinFS1 D:\Share/Engineering Dir Del Uploading Owners in Bulk To upload owners in bulk: Select Tools > Manage Ownership. The Manage Ownership window is displayed. Click Upload. Browse to upload your previously prepared CSV file. 4. Click OK. 83

93 Chapter 5 COMMON ACTIVITIES Assigning Owners, Custodians and Entities Throughout the System Use the Manage Ownership dialog box to control ownership or custodianship of a number of managed entities. Because there may be many managed entities in the system, the entities presented in the dialog box are grouped by file server. However, you can also choose to group entities by owner or custodian as necessary (see Grouping Lists and Tables by Column). In addition, you can assign groups as resource custodians to grant all users in the group custodian privileges on the file server. You can assign security or distribution groups as custodians. If a user is a folder owner on the resource, the user can also be defined as a custodian. In this case, the user is limited to custodian privileges only on the file server. To add owners or custodians to entities: Select Tools > Manage Ownership. The Manage Ownership window is displayed. Click Add. The Set Ownership dialog box is displayed. 84

94 Chapter 5 COMMON ACTIVITIES In the Choose Owners area, click Select. The Directory Services Search dialog box is displayed. 4. Select the users you want to set as owners or domain custodians or groups that you want to set as custodians or select the groups you want to set as resource custodians. Note: Selecting Azure Active Directory users is not supported. a. Add users as necessary. b. Click OK. The dialog box is closed, and the are added to the Choose Owners area. 85

Chapter 5 COMMON ACTIVITIES 5. In the Choose Managed Entities area, select the type of entity to which you want to add the owners from the Entity Type drop-down list.

95 Chapter 5 COMMON ACTIVITIES 5. In the Choose Managed Entities area, select the type of entity to which you want to add the owners from the Entity Type drop-down list. To add an owner, select Group or Directory as relevant. Selecting Azure Active Directory groups is not supported. To add a custodian, select Domain or File Server as relevant. Note: You can add groups to file servers and domains only. 6. Select the actual entity from the drop-down list to the right of the selected entity type. 7. Click Add. Your choices are added to the Selected Managed Entities area. 86

96 Chapter 5 COMMON ACTIVITIES 8. Click OK. The owners or custodians and their assigned entities are displayed in the Manage Ownership dialog box. 87

Chapter 5 COMMON ACTIVITIES Assigning Managed Entities to a Single Owner You can assign groups and directories to be managed by a selected owner.

97 Chapter 5 COMMON ACTIVITIES Assigning Managed Entities to a Single Owner You can assign groups and directories to be managed by a selected owner. Note: Entities cannot be assigned to custodians through this method. In the Users and Groups pane, right-click the relevant user. From the context menu, select Manage Ownership. The Manage Ownership dialog box is displayed. To add entities to the owner, click Add. The Entity Picker dialog box is displayed. 88

98 Chapter 5 COMMON ACTIVITIES 4. From the Entity Type drop-down list, select the type of entity to which you want to add the owner. 5. Click Select to select groups, directories, File Servers, or domains. The dialog box that is displayed depends on the entity type you chose. 6. Select the required entities. Note: Selecting Azure Active Directory users is not supported. The entities are added to the Entity Picker dialog box. 89

99 Chapter 5 COMMON ACTIVITIES 7. Click OK. The owners and their assigned entities are displayed in the Manage Ownership dialog box. Adding Managed Resources to a Single Group You can assign domains and file servers to a single group, to be managed by the group's direct members. In the Users and Groups pane, right-click the relevant group. From the context menu, select Add Managed Resources. The Add Managed Resources dialog box is displayed. 90

100 Chapter 5 COMMON ACTIVITIES Note: The Add Managed Resources option is not be available when right-clicking abstract, global or virtual groups. To add resources, click Add. The Pick Entities to Manage dialog box is displayed. 4. From the Entity Type drop-down list, select the type of entity to which you want to add the owner. Selections are Domain and File Server. 5. Click Add to add the entities. The entities are added to the Entity Picker dialog box. 91

101 Chapter 5 COMMON ACTIVITIES 6. Click OK. The entities are displayed in the Manage Ownership dialog box. Setting Ownership on a Group This procedure describes how to set ownership on a group. You can assign groups and directories to be managed by a selected owner. Note: Entities cannot be assigned to custodians through this method. In the Users and Groups pane, right-click the relevant group. From the context menu, select Set Ownership. The Set Ownership dialog box is displayed. 92

102 Chapter 5 COMMON ACTIVITIES To add entities to the owner, click Add. The Directory Services Search dialog box is displayed. 93

103 Chapter 5 COMMON ACTIVITIES 4. In OUs, select the domain, local host, or OU. 5. Use the search function to filter the possible results (or leave empty), and click Search. All matching entities are displayed. 94

104 Chapter 5 COMMON ACTIVITIES 6. Select the required entities and click Add. The entities are added to the Directory Services Search dialog box. 95

105 Chapter 5 COMMON ACTIVITIES 7. Click OK. The owners and their assigned entities are displayed in the Set Ownership dialog box. Assigning Owners to a Single Managed Directory You can assign owners to a single managed directory. To assign owners to a single managed directory: In the relevant Directories pane, right-click the relevant entity. From the context menu, select Manage Ownership. The Manage Ownership dialog box is displayed. 96

106 Chapter 5 COMMON ACTIVITIES Click Add. The Directory Services Search dialog box is displayed. 4. Select owners for the entity as required. Note: Selecting Azure Active Directory users is not supported. 5. Click OK. The entity's owners are displayed in the Manage Ownership dialog box. Dragging and Dropping Owners and Entities You can quickly assign a single owner to a single entity, and vice-versa, by dragging and dropping. To assign an owner to an entity, drag the owner's name to the target entity. To assign an entity to an owner, drag the entity's name to the target owner. When the confirmation message is displayed, click Yes. Note: Entities cannot be assigned to custodians through this method. Filtering the Managed Entities List If the Ownership dialog box lists a large number of entities, you can use the search filters to locate a smaller selection of entities. To filter the Managed Entities list: Select Tools > Manage Ownership. The Manage Ownership window is displayed. 97

107 Chapter 5 COMMON ACTIVITIES At the top of the Manage Ownership dialog box, select the type of entity by which you want to filter. If you are filtering by location, select the file server you want to work with from the second drop-down list. 4. In the text field, enter the string by which you want to filter the list. The Managed Entities list is filtered. 98

108 Chapter 5 COMMON ACTIVITIES Replacing or Cloning Owners Throughout the System You can easily replace one owner with another for all the relevant entities, without searching for each owned entity separately. You can also clone ownership from one owner to another, such that all ownership definitions are copied to the new owner, leaving the definition of the original owner intact. Notes: If the new owner is a group while the original owner does not own a file server or domain, an error occurs - groups can only be defined as file server or domain custodians. If the original owner is a custodian and also a directory/group owner, and the new owner is a group, the replacement must be applied only on the relevant file servers/domains (without applying the directory/group ownership). To replace/clone an owner with another owner: Select Tools > Manage Ownership. The Manage Ownership window is displayed. Do one of the following: Click Replace Owner - To replace an owner across the entire system Select an entity in the table and then click Replace Owner - To replace only the selected entity's owner. The Replace Owner dialog box is displayed. 99

Chapter 5 COMMON ACTIVITIES Use the relevant Browse buttons to select both the original and new owners (if you selected an entity in the Ownership table, the original owner is already populated). 4.

109 Chapter 5 COMMON ACTIVITIES Use the relevant Browse buttons to select both the original and new owners (if you selected an entity in the Ownership table, the original owner is already populated). 4. Select the required operation. Options are: Replace original owner with new owner - Select to replicate all the original owner's definitions to the new owner, leaving the original owner with no owned entities Clone ownership from original owner to new owner - Select to copy all the original owner's definitions to the new owner, leaving the original owner's definitions intact 5. Click OK. Removing Owners or Custodians from Entities To remove a user's ownership or custodianship of one or more entities: Select Tools > Manage Ownership. The Manage Ownership window is displayed. 100

110 Chapter 5 COMMON ACTIVITIES In the Manage Ownership dialog box, do one of the following: Select the checkbox of the entity whose owner you want to remove. Select the checkbox on the header row of the grid to select all entities in the grid whose owners you want to remove. Click Remove. The owners or custodians are removed from the entities. Exporting Owner Lists to CSV In addition to defining and subscribing to report 10a, you can easily export a list of owners for the selected objects to a CSV file. To export a list of owners per object to CSV: Select Tools > Manage Ownership. The Manage Ownership window is displayed. 101

111 Chapter 5 COMMON ACTIVITIES Click Save As and save the file to the required location (this only saves the current search, not all defined owners). The file takes the following format: The pipe sign ( ) is used as a separator. OwnerName is in the format of Domain\SAM account name, where Domain is written in FQDN format and SAM account name is the user logon name (pre-windows 2000). ResourceName is either the file server name or the domain name, written exactly as they are configured in DatAdvantage (either FQDN or NetBIOS). Wild cards are supported. Folder/group is the physical path of the folder to manage, or the group name in the format of Domain\SAM account name, where Domain is written in FQDN format and SAM account name is the user logon name (pre-windows 2000). For custodianship, this is left empty. Wild cards are supported. Type - One of the following options: Dom Domain R - Resource Gr Group Dir- Folder Wild cards are supported. ActionType is the action that is being performed. The following options are available: Add - Assigns ownership to an object, used when no other option is specified. Del - Removes ownership from one or more objects. Replace - Replaces the current owner with the original owner. The ActionType field is optional. The ActionType field is only required if the Del or Replace options are selected. OriginalOwner is the name of the original owner in the format of Domain\SAM account name, where Domain is written in FQDN format and SAM account name is 102

112 Chapter 5 COMMON ACTIVITIES the user logon name (pre-windows 2000). If the Replace ActionType is selected, the original owner replaces the current owner. The OriginalOwner field is only required if the Replace ActionType is selected. About Change Management and Commit DatAdvantage IDU Analytics recommends changes to permissions and membership in groups, based on data usage patterns. You may accept these recommendations and manual changes made by users at any time, and commit them to the environment. For example, you can commit one or more manual changes that were made in the Work Area. DatAdvantage enables you to manage changes and commit processes through the Change Management and Commit window. You may commit changes and follow up on processes that are committed or scheduled for commit. In addition, the Change Management and Commit window enables you to perform the following: View pending or invalid changes Search for specific changes and commit processes View the prerequisites of changes prior to committing, scheduling or discarding Commit a single change or a bulk of changes Discard selected changes Run a commit process immediately or at a scheduled time View, edit, abort, cancel or roll back required processes View the progress and status of commit processes Export changes and processes to CSV Edit the displayed columns Before committing changes, it is recommended to review their effects on the virtual environment. To do so, ensure the system is synchronized (see Synchronizing Recommendations). An notification is sent when a commit process successfully completes or changes are rolled back. Note: You must have the Commit/Edit role to perform operations in the Change Management and Commit window. Users with the Edit role can only view changes and commit processes and discard changes. Commit processes are executed asynchronously. Changes on Exchange Online directories and files cannot be committed. What Should Be Committed 103

113 Chapter 5 COMMON ACTIVITIES Changes on Unix File Servers that Can Be Committed Users The following changes to users can be committed: Users can be added to or removed from local Unix groups Users can be added to or removed from LDAP groups Users can be added to or removed from NIS groups Unix groups cannot be added to other Unix groups Important: Netgroups are not supported. Permissions The following changes to permissions can be committed: Changes to owner permissions Changes to group owner permissions Changes to other permissions Changes to UIDs Changes to GIDs Changes to sticky bits Ownership The following changes to ownership can be committed: Change owner Change group owner Change owner or group owner to one from an affiliated Unix domain ACLs The following changes to ACLs can be made: Extended users can be added ACLs can be changed for extended users Extended users can be removed Masks can be changed Group owner ACLs can be changed Extended users from affiliated Unix domains can be added Changes on Windows File Servers that Can Be Committed Group Membership The following changes to group membership can be committed: Create new group Delete group Add member Remove member 104

114 Chapter 5 COMMON ACTIVITIES Permissions The following changes to permissions can be committed: Add permissions Remove permissions Change permissions Add and remove protection Committing Changes on SharePoint File Servers For SharePoint file servers, the user that is authorized to perform operations must have a permission level that consists of at least the following permissions: Manage Permissions - Create and change permission levels on the Web site and assign permissions to users and groups. To perform Add Membership or Remove Membership operations for local SharePoint groups, the commit user must be a member of the site collection's Administrators group. For SharePoint Online and OneDrive, you can remove guest link permissions for Anonymous Logon built-in groups. Accessing the Change Management and Commit Window DatAdvantage provides a number of ways to access the Change Management and Commit window: Select Tools > Change Management (Commit). In the relevant pane (Directories or Users and Groups), right-click the relevant entity and select one of the following: Change Management (Commit) > Pending changes. The Pending Changes tab in the Change Management and Commit window is displayed, showing all changes that have not yet been scheduled for commit on the entity or directory. Change Management (Commit) > Commit processes. The Processes tab in the Change Management and Commit window is displayed, showing all scheduled and committed changes on the entity or directory. In the Logs view, right-click the relevant entity and select Jump to Change Mgmt. and Commit. The Processes tab in the Change Management and Commit window is displayed, showing all scheduled and committed changes on the entity or directory. 105

115 Chapter 5 COMMON ACTIVITIES Note: This option is only available for history of differences events. In addition, the user must have Edit/Commit or Edit roles. Upon creation or deletion of a group, select the Commit these changes option on the last page of the wizard. The Change Management and Commit window automatically opens and the Start Commit Process dialog box is displayed. Managing Pending Changes The Pending Changes tab in the Change Management and Commit window displays all pending changes made in DatAdvantage. These changes include all manual changes made by users as well as those recommended by IDU Analytics. The Pending Changes tab enables you to perform the following operations: Search for specific pending and invalid changes View a change's prerequisites prior to committing, scheduling or discarding Commit a single change or a bulk of changes Schedule the commit process Discard selected changes Searching for Pending or Invalid Changes Use the Pending Changes tab to view specific pending or invalid changes. You cannot commit invalid changes. Changes can be invalid either due to inconsistent permissions or because the object no longer exists (such as a group or directory that has been deleted). To search for specific pending or invalid changes: Open the Change Management and Commit window. 106

116 Chapter 5 COMMON ACTIVITIES In the Search pane of the Pending Changes tab, enter any of the following information: From the File server drop-down list, select one of the following options: File server - Click the Browse button to locate the the file server to be added. Access path - Click the Browse button to locate the full path on which the changes were made. Select the Include child objects option to include an entity's child objects (subdirectories). From the Domain name/ou drop-down list, select one of the following options: Domain name/ou - Browse to locate the OU or relevant domain of the user, group or trustee. User/group - Browse to locate the relevant user, group or trustee. Status - From the drop-down list, select one or both of the following options: Pending - Select to filter the results according to changes with a pending status. Invalid - Select to filter the results according to changes with an invalid status. Created by - Browse to locate the user who made the change. Create time - Set the date and time at which the change was made. Select the All Dates option to apply all dates. Note: For complete instructions on setting filters, see Advanced Searching. To use advanced filters, click Advanced Filters and set the filters as required. 4. Click Search. Changes that meet the specified search criteria are displayed in the grid. Viewing Prerequisite Changes You can view the prerequisites on which a change is dependent prior to committing, scheduling or discarding the change. Note: Keep in mind that committing or scheduling a change that is dependent on a prerequisite includes committing or scheduling its prerequisites. Additionally, if you choose to 107

117 Chapter 5 COMMON ACTIVITIES discard a prerequisite on which a change is dependent, the change and all of its dependent changes are discarded. To view prerequisite changes: Open the Change Management and Commit window. The Pending Changes tab displays all pending and invalid changes. In the grid, locate the Pre-requisite Changes column. The Pre-requisites column displays Commit and Discard links for viewing prerequisites. To view the prerequisite(s) for a change, select the relevant link in the Pre-requisite Changes column. The Commit or Discard dialog box is displayed, listing the prerequisite(s) on which the selected change is dependent. The Commit dialog box provides a list of all changes that must be committed or scheduled in order to commit the selected change. The Discard dialog box provides a list of changes that will be discarded if the selected change is discarded. 108

118 Chapter 5 COMMON ACTIVITIES Committing Changes You can select one or more pending changes to be committed in a commit process. The changes included in the commit process can be committed immediately or scheduled for commit at a defined time. Invalid changes, such as changes on entities that have been deleted, are automatically excluded from the commit process. If you choose to commit a change that is dependent on a prerequisite, the change and all its prerequisites must be committed. These prerequisite changes are automatically added when committing the change. You may choose to clear a selected change to exclude it and its prerequisites from the commit process. An notification is sent when a commit process successfully completes or fails to complete. Note: Editing in the Work Area is disabled until the selected changes are committed to the database. To commit pending changes: Open the Change Management and Commit window. 109

119 Chapter 5 COMMON ACTIVITIES The Pending Changes tab displays all pending and invalid changes. In the Pending Changes tab, select the relevant change(s) in the grid and click Commit. If you have selected one or more pending changes without prerequisites, the Start Commit Process dialog box opens, prompting you to enter user credentials. If you have selected pending changes with prerequisites, the Commit dialog box opens, displaying the Pending + Pre-requisites tab. 110

120 Chapter 5 COMMON ACTIVITIES Note: In both cases, if you have selected invalid changes, they are displayed in the Excluded tab. All invalid changes will be excluded from the commit process. To commit pending changes with prerequisites: Note: If you have selected changes without prerequisites, continue with step 4. a. In the Pending + Pre-requisites tab of the Commit dialog box, clear a selected change to exclude the change and its prerequisites from this process. Note: Prerequisites common to one or more changes are displayed under each change. b. To view all pending changes to be committed, select the Included tab. c. To view all invalid changes to be excluded from the commit process, select the Excluded tab. d. Click Next. The Start Commit Process dialog box is displayed. 4. To log in to the Commit engine: a. Select one of the following: Enter a single set of credentials for all resources 111

121 Chapter 5 COMMON ACTIVITIES Important: The user must have the appropriate credentials required to commit the changes. User name - Type the relevant user name or browse to locate the required user. Password - Type the relevant password. Remember Password - Select to save the credentials for this commit process. This option saves the credentials for each commit operator. Enter credentials per resource - For each resource, click the Enter credentials link and enter the relevant user name and password. b. Comment - Type a free-text comment in the field as necessary. c. Send process report to - Select to send the process report to a recipient and then type the recipient's address in the field. You can enter the of only one recipient or distribution list. 5. Click Start. A confirmation message is displayed, enabling you to switch to the Processes tab to view the progress. Scheduling Changes for Commit You can schedule changes to be committed at a defined time. To schedule changes for commit: Open the Change Management and Commit window. In the Pending Changes tab, select the relevant change(s) in the grid and click Schedule. If you have selected one or more pending changes without prerequisites, the Start Schedule Process dialog box opens, prompting you to schedule the commit process and enter user credentials. 112

122 Chapter 5 COMMON ACTIVITIES If you have selected pending changes with prerequisites, the Schedule dialog box opens, displaying the Pending + Pre-requisites tab. Note: In both cases, if you have selected invalid changes, they are displayed in the Excluded tab. All invalid changes will be excluded from the commit process. To schedule the commit process for changes with prerequisites: Note: If you have selected changes without prerequisites, continue with step 4. a. In the Pending + Pre-requisites tab of the Schedule dialog box, clear a selected change to exclude the change and its prerequisites from this process. 113

123 Chapter 5 COMMON ACTIVITIES Note: Prerequisites common to one or more changes are displayed under each change. b. To view all pending changes to be committed, select the Included tab. c. To view all invalid changes to be excluded from the commit process, select the Excluded tab. d. Click Next. The Start Schedule Process dialog box is displayed. 4. In the Start Schedule Process dialog box, select the required date and time from the calendar. 5. To log in to the Commit engine: a. Select one of the following: Enter a single set of credentials for all resources Important: The user must have the appropriate credentials required to commit the changes. User name - Type the relevant user name or browse to locate the required user. Password - Type the relevant password. Remember Password - Select to save the credentials for this commit process. This option saves the credentials for each commit operator. Enter credentials per resource - For each resource, click the Enter credentials link and enter the relevant user name and password. b. Comment - Type a free-text comment in the field as necessary. c. Send process report to - Select to send the process report to a recipient and then type the recipient's address in the field. You can enter the of only one recipient or distribution list. 6. Click Start. A confirmation message is displayed, enabling you to switch to the Processes tab to view the progress. Discarding Changes You can discard pending or invalid changes that are not required. If you choose to discard a prerequisite on which a change is dependent, the change and all of its dependent changes are discarded. To discard pending or invalid changes: Open the Change Management and Commit window. 114

124 Chapter 5 COMMON ACTIVITIES The Pending Changes tab displays all pending and invalid changes. In the Pending Changes tab, select the relevant change(s) in the grid and click Discard. If you have selected one or more pending changes on which no other change is dependent, the Discard dialog box opens, displaying the changes to be discarded. If you have selected pending changes on which other changes are dependent, the Discard dialog box displays the Pending + Pre-requisites tab. 115

125 Chapter 5 COMMON ACTIVITIES To exclude a change and its dependent changes from being discarded, in the Pending + Prerequisites tab, clear a selected change. Prerequisites common to one or more changes are displayed under each change. Note: If you have selected changes on which no other change is dependent, continue with step Click Start. The selected changes are discarded. Managing Commit Processes The Processes tab in the Change Management and Commit window displays all changes that are committed or scheduled for commit. This tab also displays failed and aborted processes. It enables you to follow the progress of commit processes, perform actions, and view specific processes or changes. Additionally, the Processes tab enables you to perform the following operations: Search for specific scheduled or completed processes Edit a scheduled process Cancel a scheduled process Stop the commit process Roll back a commit process You can expand or collapse rows in the grid as necessary. Expanding a row enables you to view the changes included in the process. Certain changes may not be displayed due to filtering or ownership limitations. 116

126 Chapter 5 COMMON ACTIVITIES Searching for Commit Processes Use the Processes tab to view processes that are committed or scheduled for commit. Each commit process is assigned a unique ID, which can be used when searching for a specific process. To search for specific commit processes: Open the Change Management and Commit window. Select the Processes tab. The Processes tab is displayed, listing all processes that are committed or scheduled for commit. 117

127 Chapter 5 COMMON ACTIVITIES In the Search pane, enter any of the following information: From the drop-down list, select one of the following options: File server - Click the Browse button to locate the the file server to be added. Access path - Click the Browse button to locate the full path. Select the Include child objects option to include an entity's child objects (subdirectories). From the Domain name/ou drop-down list, select one of the following options: Domain name/ou - Browse to locate the OU or relevant domain of the user, group or trustee. User/group - Browse to locate the relevant user, group or trustee. Process Status - Select one or all of the following options: Scheduled - Select to filter the results according to processes that are scheduled for commit. In process - Select to filter the results according to processes that are currently being committed. Completed - Select to filter the results according to processes that have already been committed. Aborting - Select to filter the results according to processes that are currently being aborted. Aborted - Select to filter the results according to processes that have been aborted. Committed by - Browse to locate the user, group or trustee who committed the process. Schedule time - Set the date and time at which the process was scheduled. Select the All Dates option to apply all dates. Process ID - Enter the unique ID of the commit process. Note: For complete instructions on setting filters, see Advanced Searching. 4. To use advanced filters, click Advanced Filters and set the filters as required. 5. Click Search. Processes that meet the specified search criteria are displayed in the grid. Editing a Scheduled Process You can edit a process that is scheduled for commit. To edit a scheduled process: Open the Change Management and Commit window. 118

Chapter 5 COMMON ACTIVITIES Select the Processes tab. The Processes tab is displayed, listing all processes that are committed or scheduled for commit.

128 Chapter 5 COMMON ACTIVITIES Select the Processes tab. The Processes tab is displayed, listing all processes that are committed or scheduled for commit. In the grid, select one or more pending processes that are scheduled for commit. Tip: You can apply the Process status filter to view pending processes that are scheduled for commit. 4. Click Edit Process. The Modify Scheduled Process dialog box is displayed. 119

129 Chapter 5 COMMON ACTIVITIES 5. Select the required date and time from the calendar. 6. To log in to the Commit engine: a. Select one of the following: Enter a single set of credentials for all resources Important: The user must have the appropriate credentials required to commit the changes. User name - Type the relevant user name or browse to locate the required user. Password - Type the relevant password. Remember Password - Select to save the credentials for this commit process. This option saves the credentials for each commit operator. Enter credentials per resource - For each resource, click the Enter credentials link and enter the relevant user name and password. b. Comment - Type a free-text comment in the field as necessary. c. Send process report to - Select to send the process report to a recipient and then type the recipient's address in the field. You can enter the of only one recipient or distribution list. d. Commit changes on folders with broken inheritance - Select to commit changes on folders with broken inheritance. Users without edit/commit permissions, or for users where this option was not configured (via the Management Console), will not see this screen. Note: 7. Click Start. The selected process(es) are rescheduled according to the defined time. 120

130 Chapter 5 COMMON ACTIVITIES Cancelling a Scheduled Process You can cancel a process that is scheduled for commit. Note: You cannot cancel a process that is currently running, or one that has been terminated or committed. In order to cancel a running process, you must first terminate it. See Stopping the Commit Process for instructions. To cancel a scheduled commit process: Access the Change Management and Commit window and select the Processes tab. In the grid, select the scheduled process(es) to be cancelled. Tip: You can apply the Process status filter to view scheduled processes only. Click Cancel Schedule. A confirmation message is displayed, asking you to confirm the cancellation. 4. Click Yes. The selected process(es) are cancelled. Stopping the Commit Process To stop the commit process before it is completed: Note: For instructions on cancelling scheduled commit operations that are still pending, see Cancelling a Scheduled Process. Access the Change Management and Commit window and select the Processes tab. Select the required process and click Terminate. A confirmation message is displayed. Set the following as necessary: Roll back committed changes - Select to reject committed changes. Send report to - Select to send the rollback process report to a recipient and then type the recipient's address in the field. 121

131 Chapter 5 COMMON ACTIVITIES Note: This option is available only if a mail recipient was not selected during commit. If a mail recipient was previously selected, the report will automatically be sent to that recipient. 4. Click OK. A confirmation message is displayed. The process is marked as Aborted in the Processes tab. If you have selected to roll back committed changes, a rollback process is initiated for successfully committed changes and a report is sent to the recipient by . Rejecting Changes You can reject or roll back changes that have already been committed. The rollback process can only be performed for terminated or completed processes that have not yet been rolled back. For a list of DatAdvantage operations that can be rolled back, see Supported Rollback Operations. An notification is sent when changes are successfully rolled back. Important: The rollback reverses changes and may not restore permissions to their original state. To reject changes: Access the Change Management and Commit window and select the Processes tab. Select the required process and click Rollback. The Rollback dialog box is displayed. 122

132 Chapter 5 COMMON ACTIVITIES To log in to the Commit engine: a. Select one of the following: Enter a single set of credentials for all resources User name - Type the relevant user name or browse to locate the required user. Password - Type the relevant password. Remember Password - Select to save the credentials for this commit process. This option saves the credentials for each commit operator. Enter credentials per resource - For each resource, click the Enter credentials link and enter the relevant user name and password. b. Comment - Type a free-text comment in the field as necessary. c. Send process report to - Select to send the process report to a recipient and then type the recipient's address in the field. You can enter the of only one recipient or distribution list. Note: If a mail recipient was already selected during commit, this field is populated with the recipient's address. Click Start. 4. A confirmation message displays the rollback process ID. Click OK. 5. The selected change(s) are rejected and a report is sent to the recipient by . Supported Rollback Operations You can roll back the following DatAdvantage operations: Group membership changes Group member added Group member removed Group member edited Permission changes (SharePoint, Exchange, CIFS and NFS) Permission added Permission removed Permission edited Group created Note: The rollback process can only be performed for terminated or completed commit processes that have not yet been rolled back. The rollback reverses changes and may not restore permissions to their original state. Exporting Changes and Processes to CSV You can export all changes and processes displayed in the Pending Changes and Processes tabs to a CSV file. 123

133 Chapter 5 COMMON ACTIVITIES Note: This action exports all changes and processes that were filtered for display (and not the items that were selected in the grid). To export the displayed changes or processes to CSV: Open the Change Management and Commit window and select the relevant tab. Click Export to CSV and select the required export path. Click Save. Editing the Displayed Columns You can add or remove columns for display in the Pending Changes and Processes tabs. To edit the displayed columns: Open the Change Management and Commit window and select the relevant tab. Click Edit Columns. 124

134 Chapter 5 COMMON ACTIVITIES The Edit Columns dialog box is displayed. Select the required columns from the Available Columns pane on the left, and click the right arrow to move them into the Selected Columns list. Note: For a complete list of columns that can be included in the Pending Changes and Processes tabs, see Change Management and Commit Columns. 4. Use the Up and Down buttons to arrange the order in which the columns are displayed. 5. To restore the default set of columns, click Reset. 6. Click OK. The selected columns are added to the grid. Change Management and Commit Columns You can customize which columns are included in the Pending Changes and Processes tabs (for more information, see Editing the Displayed Columns). You can also change the order in which the columns are displayed, sort columns, and group columns as required. For more information, see Working with Lists and Tables. The following table describes all columns that can be included in the Pending Changes tab: Column Name Description Created By The display and domain name of the user who made the change, or IDU Analytics. Created By (SAM Account Name) The domain and SAM account name of the user who made the change, or IDU Analytics. 125

135 Chapter 5 COMMON ACTIVITIES Column Name Description Create Time The date and time at which the change was made. The time format is displayed in accordance with the IDU Server's local settings. Change Source The source of the change, which can be: User edited - User changes IDU analytics - Recommendations by IDU Analytics Description A detailed description of the change. Error/Info The reason why the change is invalid. File Server The name of the file server on which the change was made. Last Process ID The unique identifier of the last process which included the change. This is relevant only for invalid changes or changes that could not be committed. Member/Trustee The display and domain name of the member or trustee (for membership or permission changes). Member/Trustee (SAM Account Name) The domain and SAM account name (in the format Domain\SAM Account Name) of the member or trustee (for membership or permission changes). Object The name of the object on which the change was made. The type of object displayed in this column can be one of the following: File Folder Group (in the format Display Name (Domain)) User (in the format Display Name (Domain)) Computer (in the format Display Name (Domain)) Object Path The pathname of the object that was changed. Pre-requisite Changes One of the following: None Discard - A list of changes that will be discarded if the selected change is discarded. Commit - A list of all changes that must be committed or scheduled in order to commit the selected change. 126

136 Chapter 5 COMMON ACTIVITIES Column Name Description Status The status of the change, which can be: Pending Invalid The following table describes all columns that can be included in the Processes tab: Column Name Description Comment The free-text comment entered by the user who committed the change(s) in the process. Committed By The name of the user (in the format Domain \DisplayName) who performed the commit operation. Committed By (SAM Account Name) The name of the user (in the format Domain\SAM Account Name) who performed the commit operation. Commit Time The date and time at which the commit action was executed by the user. The time format is displayed in accordance with the IDU Server's local settings. Complete Time The date and time at which the commit process was completed (i.e., all changes included in the process were committed by the system). The time format is displayed in accordance with the IDU Server's local settings. Duration The duration of the commit process. Number of Changes The number of changes included in the commit process. Original Process ID The unique identifier of the original process which was rolled back or is in the process of being rolled back. This ID is displayed only if a commit process was rolled back. Rollback Process ID The unique identifier of the rollback process. This ID is displayed only if a commit process was rolled back. 127

137 Chapter 5 COMMON ACTIVITIES Column Name Description Run Start Time The date and time at which the commit process was executed by the system (i.e., the time at which the first change in the process was committed). The time format is displayed in accordance with the IDU Server's local settings. Schedule Time The date and time at which the commit process was scheduled. The time format is displayed in accordance with the IDU Server's local settings. Status The status of the process, which can be: Scheduled In process Completed Aborting Aborted Archiving Events, Statistics and Committed Processes The Archive option on the Tools menu enables administrators to archive events, statistics and committed processes. Events and statistics can be archived for each monitored file server. This helps reduce the size of the active database. However, historical data that has been archived is unavailable for online viewing, so this option should only be used for data that is not accessed regularly. When events are archived, they are placed into a ZIP file and moved to a directory whose name includes the name of the file server. For example, a file server named netapp4 would archive to a directory named Archive_netapp4 under the Varonis directory, whose location is defined during installation. These directories can be included in a normal backup schedule. Selecting Events, Statistics and Committed Processes The Archive window enables you to choose the file server containing the events or statistics to be archived, as well as a timeframe for the data. You can also choose to archive processes that have been committed. Note that you cannot select a file server for committed processes. To select events, statistics and committed processes: Select Tools > Archive. The Archive window is displayed. 128

138 Chapter 5 COMMON ACTIVITIES From the Archive type drop-down list, select one of the following options: Events Statistics Commit From the File server drop-down list, select the file server containing the events or statistics to be archived. Note: You cannot select a file server for committed processes. 4. Set the timeframe for the data to be retrieved: a. In the From field, click the arrow, and select the beginning date of the timeframe from the calendar. b. In the To field, click the arrow, and select the ending date of the timeframe from the calendar. 5. Click Search. The tables are listed in the results pane. The Archive Status column displays the status of each table. 129

Chapter 5 COMMON ACTIVITIES 6. To change the operation for a particular event from Archive to Cancel Archive, click the button for the event in the Operation column. 7. Click OK.

139 Chapter 5 COMMON ACTIVITIES 6. To change the operation for a particular event from Archive to Cancel Archive, click the button for the event in the Operation column. 7. Click OK. Archiving Events, Statistics and Committed Processes To archive events, statistics and committed processes: Locate the tables to be archived by entering the relevant search criteria. For instructions on setting search criteria, see Selecting Events, Statistics and Committed Processes. Click Search. Click the action button in the Archive column to set their status to Pending archive. 4. Click Run Now. The CIFS events, statistics or commit processes for that day are archived, and the table's status becomes Archived. Restoring Archived Data To restore archived data: Locate the tables to be restored by entering the relevant search criteria. For instructions on setting search criteria, see Selecting Events, Statistics and Committed Processes. Click Search. Click the Restore/Delete action button in the Archive column. 4. From the popup menu, select Restore to set the tables' status to Pending restore. 5. Click Run Now. The data is restored, and the table's status becomes Active. 130

140 Chapter 5 COMMON ACTIVITIES Restoring Data Per User This feature provides the ability to restore archived data of a file server or multiple file servers at once of a specific time range per single user. For example, if User A is suspected of having deleted a file three years ago, it is possible to restore back to the database (SQL Server) only those events created by User A, (excluding all the events for all users for the past three years). The search period will be limited to seven years. The data that already exists in the original archive file will remain intact. To restore data per user: Select Tools > Archive. The Archive window is displayed. Click Advanced Restore. The Restore Data per User window is displayed. 131

Chapter 5 COMMON ACTIVITIES Do as follows: a. File Servers - Select one or more file servers. b. Specific Entities - Select all users or restrict the scope to a single user.

141 Chapter 5 COMMON ACTIVITIES Do as follows: a. File Servers - Select one or more file servers. b. Specific Entities - Select all users or restrict the scope to a single user. If you select the single user option, select that user from the Directory Services Search dialog box (you can select up to 50 users). c. Dates - Select the date range of the archives to be restored (the default is a month earlier than 180 days ago). Note: The date picker is not limited to only seven years back. If there are events archived for a period longer than seven years, those will also be restored unless the customer has SQL storage limitations. d. Archive Type - Select the relevant archive type (events or statistics) to restore. Note that all types are selected by default. e. 4. Reset button ( )- Sets the filters to the following state: File Server Clears the servers that were selected. Entities Selects all users. Dates - The last month relative to the current date. Archive Type - Selects all checkboxes (all types). Click Search. The search results are displayed at the bottom in the results grid. 132

142 Chapter 5 COMMON ACTIVITIES 5. Each row in the table displays all data for the date range for the server/specific user per archive type. Refer to the following: User Name - The user's name; this column is changed dynamically based on the selected search filter. If all users and folders were selected All users is displayed. If specific users were selected the domain/user name is displayed. File Server The file server's name as it is displayed in DatAdvantage. File Server Type The file server's type as it is displayed in DatAdvantage. Archive Status The table's status; this column can have Archived, Pending Restore or Mixed statuses. The Mixed status is displayed if some of the days are in Archived status and some with Pending Restore status. Archive Type - Displays events and/or statistics. Archive Period - The date range of the archive. The first and last dates that data exists for this server or specific user will define the displayed range. 6. Status Details Displays details of the various archive statuses. Select the files to restore and click the Restore Now button above the table. The files are restored. 7. Schedule for Restore - The files are restored on the next run of the weekly table maintenance job. Note: The data will not be deleted from the original archive file. It will be re-archived after the extraction of the selected data. 133

143 Chapter 5 COMMON ACTIVITIES Deleting Archived Data Once an object has been deleted it cannot be restored. To delete archived data: Locate the tables to be deleted by entering the relevant search criteria. For instructions on setting search criteria, see Selecting Events, Statistics and Committed Processes. Click Search. Click the Restore/Delete action button in the Archive column. 4. From the popup menu, select Delete to set the tables' status to Pending delete. 5. Click Run Now. The data is deleted. Managing IDU Servers DatAdvantage enables you to connect to various monitored IDU Servers. Use this option if you have several IDU Servers in your organization, in order to define connection parameters for each server and switch between them. Adding IDU Connections To add a connection to an IDU: Select Tools > Select IDU Server. The IDU Server Selection dialog box is displayed. Click Servers. The IDU Server Editor dialog box is displayed. 134

144 Chapter 5 COMMON ACTIVITIES To add another IDU Server to the list: a. Click Add. The Server Information dialog box is displayed. b. c. Set the following: IDU Server address - Type the name or IP Address of the IDU Server to be added. Port number - Type the port number to which the IDU Server listens. Click OK. The IDU Server is added to the list. Removing IDU Connections To delete an IDU connection: Select Tools > Select IDU Server. The IDU Server Selection dialog box is displayed. 135

Chapter 5 COMMON ACTIVITIES Click Servers. The IDU Server Editor dialog box is displayed. From the list, select the IDU to be removed. You cannot remove the currently active IDU. 4. Click Remove.

145 Chapter 5 COMMON ACTIVITIES Click Servers. The IDU Server Editor dialog box is displayed. From the list, select the IDU to be removed. You cannot remove the currently active IDU. 4. Click Remove. Configuring Dictionaries One way to create and update a rule efficiently is to define a dictionary of the terms you want your rule to search. You can define as many dictionaries as you want. Use dictionaries with the following guidelines in mind: Dictionaries containing fewer than 50,000 records, with three characters or more per record, are the most effective (dictionaries are limited to a total of 60,000 entries). Note: These numbers are recommendations. You can define dictionaries with more records (up to 60,000), or with shorter records, but they may classify your data less effectively. You can schedule a job that automatically uploads and updates dictionaries. Dictionaries may be selected as conditions within rules, which means they may be used as part of a complex boolean expression (different dictionaries combined with strings and regular expressions.) 136

146 Chapter 5 COMMON ACTIVITIES Dictionaries are encrypted in the database using a Triple DES-based symmetric encryption system. To configure a dictionary: Select Tools > Dictionaries. The Dictionaries window is displayed. Select the Dictionaries tab. The existing dictionaries are displayed. Adding Dictionaries To add a new dictionary: Access the Dictionaries window. Click Add. The New Dictionary window is displayed. 137

Chapter 5 COMMON ACTIVITIES Set the following parameters: Name - Type a free-text name for the dictionary. Description - Type a free-text description of the dictionary.

147 Chapter 5 COMMON ACTIVITIES Set the following parameters: Name - Type a free-text name for the dictionary. Description - Type a free-text description of the dictionary. Source file - Click the Browse button to select a CSV file containing the required dictionary entries, and select one of the following options: Add entries from the selected file to the existing list - Select to append the contents of the CSV file to the existing list. Override all existing entries with the contents of the selected file - Select to completely overwrite the existing list. Use the file contents during automatic updates - Select to instruct the DCF to use the contents of the chosen file when applying automatic updates to the dictionary. 4. To add an entry to the dictionary manually: a. Click the green plus sign. The New Entry dialog box is displayed. 138

Chapter 5 COMMON ACTIVITIES b. Type the term you want to add to the dictionary. For example, type ini if you want to define a rule to be run on all files of the INI type. c. Click OK.

148 Chapter 5 COMMON ACTIVITIES b. Type the term you want to add to the dictionary. For example, type ini if you want to define a rule to be run on all files of the INI type. c. Click OK. The term is added to the dictionary list, along with the following additional information: Entry - The term itself. Enabled - Indicates whether the term is enabled in the dictionary. Terms that are disabled are not included in the classification process. Modified Date - The date on which the term was last modified. Source - Indicates whether the term comes from a predefined dictionary or is userdefined. 5. To edit a term: Note: Only user-defined terms can be edited. 6. a. In the Edit Dictionary dialog box, select the term to be edited. b. Click Edit Entry, or right-click and select Edit Entry from the context menu. To enable a disabled entry: a. In the Edit Dictionary dialog box, select the term to be enabled. b. Click the green check mark, or right-click and select Enable Entry from the context menu. 7. To disable an enabled entry: a. In the Edit Dictionary dialog box, select the term to be disabled. b. Click the red disable sign, or right-click and select Disable Entry from the context menu. 8. To remove a term from the dictionary: Note: Only user-defined terms can be removed. a. In the Edit Dictionary dialog box, select the term to be removed from the dictionary list. b. Click the red, or right-click and select Delete Entry from the context menu. Editing Dictionaries To edit an existing dictionary: Access the Dictionaries window. Select the row of the dictionary you want to edit. Click Edit Dictionary, or right-click and select Edit Dictionary from the context menu. 139

149 Chapter 5 COMMON ACTIVITIES 4. Edit the dictionary as necessary. 5. To restore the dictionary's original, predefined entries, click Restore. Note: This action is only available for predefined dictionaries. Cloning Dictionaries To clone an existing dictionary and all its entries: Access the Dictionaries window. Select the row of the dictionary you want to clone. Click Clone Dictionary, or right-click and select Clone Dictionary from the context menu. The dictionary is cloned and appears in the list with the word Copy appended to its name. 4. Edit the cloned dictionary as necessary. Removing Dictionaries When you remove a dictionary, all the rules that include this dictionary in their conditions are erased along with all matching file results. However, the data that is erased is maintained in history (the amount of time history is maintained depends on the organization's retention policy). To remove a dictionary: Access the Dictionaries window. On the Dictionaries tab, select the rows of the dictionaries you want to remove. Note: If your selection includes at least one predefined dictionary (indicated by a lock icon), the Remove button is disabled. Click the red, or right-click and select Delete Dictionary. Setting Entities as Monitored or Unmonitored When a file system is monitored by DatAdvantage, all the folders it contains are automatically monitored. In addition, all the users in Active Directory are automatically monitored. However, collection of data for so many users across an entire file system can result in a good deal of needless overhead in terms of storage space and licensing costs. Therefore, DatAdvantage enables you to select users and folders you do not want to monitor and remove them from DatAdvantage storage, either temporarily or permanently. The lists of unmonitored users and folders are easily configurable and can be changed on the fly, both through the Configuration window and during daily work in DatAdvantage (see Configuring Unmonitored Folders and Configuring Unmonitored Users). Note: If you make a change to resume monitoring an unmonitored entity, the change takes effect either after the nightly run of ADWalk and PullWalk, or after these jobs are run manually. 140

150 Chapter 5 COMMON ACTIVITIES For directory service objects, the icon does not change when an object's monitoring status is changed. To set an entity as monitored or unmonitored: Select the relevant view. Locate the required entity. Right-click the selected entity, and from the context menu, select Monitor or Stop Monitoring, as relevant. Note: The available options depend on the current state of the entity. If an entity is currently monitored, the only available option is Stop Monitoring. If the entity is not currently being monitored, the only available option is Monitor. However, both the Monitor and the Stop Monitoring options may be available for a group if the group contains both monitored and unmonitored users. If you set an entity as unmonitored, it is automatically added to the Unmonitored list available in the configuration window. If you set an entity as monitored, it is automatically removed from the Unmonitored list. However, you must refresh the entity list to see it in the current view. Attention: Setting an object as unmonitored filters out all the object's events, and future events are not collected, This means the recommendations that IDU Analytics makes for this object may be inaccurate. Using Follow-up Indicators You can set flags, tags and notes on entities requiring follow-up. You can also set flags and tags to be inherited from their parent objects. Configuring Follow-up Indicators When defining flags and tags, keep the following in mind: Several flags can have the same name, but they must be assigned different colors. Several flags can be assigned the same color, but they must have different names. Tags can be assigned only one color, but the color can be changed. To configure flags and tags: Select Tools > Follow Up. 141

Chapter 5 COMMON ACTIVITIES In the Flags area, configure flags as follows: a. To add a flag, click Add. A new row is added to the Flags grid. a. To change a flag's name, click it and type the required name.

151 Chapter 5 COMMON ACTIVITIES In the Flags area, configure flags as follows: a. To add a flag, click Add. A new row is added to the Flags grid. a. To change a flag's name, click it and type the required name. The name is limited to 50 characters. b. To change a flag's type to either Global or Personal, click the down arrow and select the required option. Note: This is only possible if the administrator has enabled global flags through the Management Console. c. To change a flag's color, click the Browse button to open the color palette and select the required color. d. To remove a flag, select its checkbox and click Remove. Note: This action removes the selected flags from all the entities to which they are assigned. In the Tags area, configure tags as follows: a. To add a tag, click Add. A new row is added to the Tags grid. b. To change a tag's name, click it and type the required name. The name is limited to 50 characters. 4. In the Tag Color area, click the Browse button to change the color of tags as required. 5. Click OK. 142

152 Chapter 5 COMMON ACTIVITIES Uploading Follow-Up Indicators To streamline work with follow-up indicators, you can upload a CSV file containing all the data required to define flags and tags in a bulk operation. In addition to adding new tags and global flags, you can use this procedure to convert existing personal flags to global flags, detach flags and tags from objects, and change the color of a flag or tag. The following users can perform this activity: System administrator Enterprise manager Configuration user To upload follow-up indicators: Select Tools > Upload Follow-up Indicators. Select the prepared CSV file to be uploaded. The file is uploaded and the flags and tags are created. 143

153 Chapter 5 COMMON ACTIVITIES Preparing the CSV File to Upload Follow-up Indicators The CSV file for uploading follow-up indicators can contain two types of rows: Definition of flags and tags - Use to identify the flag/tag, as well as the action to be performed Definition of assigned objects - Use to identify the objects to which flags and tags are attached Definition of Flags and Tags Rows defining flags and tags must have the following structure: <Follow-up Flag/Tag>,<Flag/Tag Action>, <Flag/Tag Name>,<Old Flag Type>, <Flag Created By>,<Old Flag Color>, <New Flag Color> Fields that are not required for a particular action can be empty. Field Valid Values Default if Field is Empty Follow-up Object Type TAG - Tag FLAG - Flag This field cannot be empty Flag/Tag Action NEW - Add new flag/tag. ATTACH - Attach existing flag/tag to entities described in the following rows. DETACH - Detach existing flag/tag from entities described in the following rows. CHANGE_COLOR - Update the color of a flag. Only a user with permissions to global flags can change the color of a global flag. Any user can change the color of a personal flag. MAKE_GLOBAL - Make an existing flag global. This field cannot be empty 144

154 Chapter 5 COMMON ACTIVITIES Field Valid Values Default if Field is Empty Flag/Tag Name Free Text - Name of flag/tag This field cannot be empty 145

155 Chapter 5 COMMON ACTIVITIES Field Valid Values Default if Field is Empty Old Flag Type Only for flags. GLOBAL Specify flag type to identify the flag for ATTACH, DETACH, CHANGE_COLOR and MAKE_GLOBAL operations. Options are: Flag Created By GLOBAL PERSONAL Domain users and groups: Domain Name/SAM Account Name Local SharePoint users and groups: Domain\user Note: This does not have to be the user uploading the file. Only for personal flags. Specify the user that created the flag for ATTACH, DETACH, CHANGE_COLOR and MAKE_GLOBAL operations. Old Flag Color Only for flags. Specify the previous flag color to identify the flag for ATTACH, DETACH, CHANGE_COLOR and MAKE_GLOBAL operations. CHANGE_COLOR - If more than one flag exists, an error occurs. MAKE_GLOBAL - All flags with the flag name and type are converted into a single global flag. Existing personal flags are deleted. ATTACH - If more than one flag exists, an error occurs. DETACH - If more than one flag exists, an error occurs. CHANGE_COLOR - If more than one flag exists, an error occurs. MAKE_GLOBAL - All flags with the flag name and type are converted into a single global flag. Existing personal flags are deleted. 146

156 Chapter 5 COMMON ACTIVITIES Field Valid Values Default if Field is Empty New Flag Color Mandatory in the NEW and CHANGE_COLOR operations. ATTACH - If more than one flag exists, an error occurs. DETACH - If more than one flag exists, an error occurs. When a new flag is created and no color is assigned, an error occurs. If the parameter is passed in the ATTACH/ DETACH operation, it is ignored. Definition of Assigned Objects Rows defining assigned objects must have the following structure: <Object Type>,<File Server Name>, <Access Path/User/Group>,<Inherited> 147

157 Chapter 5 COMMON ACTIVITIES Fields that are not required for a particular action can be empty. Field Contents Default if Field is Empty Object Type This field cannot be empty File Server Name For directories and files, the name of the file server on which the object resides. None Access Path/ User/Group Object to assign the flag/tag to, or logical path/dfs path/physical path/user/group name according to the File Server Name parameter. This field cannot be empty DIR - File or folder from the directory tree DIR_LOGICAL - Logical path to file or folder from the directory tree DIR_DFS - DFS path to File or folder from the directory tree USER - User GROUP-group Users and groups must have the following format: Domain users and groups: Domain Name/SAM Account Name Local SharePoint users and groups: Domain\user Inherited Y/N No need to enter this for files. For folders, the default is N. 148

158 Chapter 5 COMMON ACTIVITIES Sample Use Cases Action Example New Tag TAG,NEW,My Tag New Global Flag FLAG,NEW,MyGlobalFlag,,,,#FF0000 Comments Personal flags can only be added through the UI. A color must be specified for the flag. Change color personal flag FLAG,CHANGE_COLOR,MyPersonalFlag, PERSONAL,Varonis\lheman,,,#FF0000 The color is in hexadecimal format. Change color global flag 1 with old color to identify the flag FLAG,CHANGE_COLOR,MyFlag,,,#005500,#FF0000 Use the color to identify the flag if there are two global flags with the same name. The color is in hexadecimal format. Change color global flag 2 FLAG,CHANGE_COLOR,MyFlag,,,,# Make global action FLAG,MAKE_GLOBAL, MyFlag,PERSONAL,,# Merges personal flags with the same name and color into a single global flag. If a global flag already exists with this name and color, the personal flag is replaced by the existing global flag. 149

159 Chapter 5 COMMON ACTIVITIES Action Example Comments Make global action FLAG,MAKE_GLOBAL,MyFlag, PERSONAL,Varonis\lheman Converts a personal flag to a global flag. If more than one flag exists with this name for this user, an error is returned. If a global flag already exists with this name and color, the personal flag is replaced by the existing global flag. Attach tag to objects (Tag/ Flag row) TAG,ATTACH,MyTag USER,, PM-LAB.COM\MyUser GROUP,, PM-LAB.COM\MyGroup DIR,PM-LAB-DV1,C:/Lila,Y The tag is added to the group and the two paths. Attach flag to objects (Tag/ Flag row) FLAG,ATTACH,MyGlobalFlag USER,, PM-LAB.COM\MyUser GROUP,, PM-LAB.COM\MyGroup DIR,PM-LAB-DV1,C:/Lila,Y Attaches a global flag to the specified objects. Attach flag to objects (Tag/ Flag row) FLAG,ATTACH,MyPersonalFlag,PERSONAL USER,, PM-LAB.COM\MyUser GROUP,, PM-LAB.COM\MyGroup DIR,PM-LAB-DV1,C:/Lila,Y Attaches a personal flag to the specified objects. If there is more than one personal flag with this name, an error is returned. Attach flag to objects (Tag/ Flag row) FLAG,ATTACH, MyPersonalFlag, PERSONAL,Varonis\lherman USER,, PM-LAB.COM\MyUser DIR,PM-LAB-DV1,C:/Lila,Y Attaches a personal flag to the specified objects. If there is more than one personal flag with this name and created by this user, an error is returned. If there is more than one global flag with this name, an error is returned. 150

160 Chapter 5 COMMON ACTIVITIES Action Example Comments The flag is added to the group and both paths. Detach flags from objects (Tag/Flag row) FLAG, DETACH, MyPersonalFlag, PERSONAL,Varonis\lherman,# DIR,PM-LAB-DV1,C:/Lila,Y Detach tag from object TAG, DETACH,MyTag USER,, PM-LAB.COM\MyUser GROUP,, PM-LAB.COM\MyGroup DIR,PM-LAB-DV1,C:/Lila,Y Detaches a personal flag from the specified objects. Specify the flag's color to identify it. Example TAG,NEW,My Tag TAG,ATTACH,My Tag DIR,PM-LAB-DV1,C:/Lila,Y FLAG,NEW,My Flag1,,,,#FF0000 FLAG,ATTACH,MY Flag1 DIR,PM-LAB-DV1,C:/Lila,Y USER,,PM-LAB.COM/MyUser FLAG,My Flag1,PERSONAL,Varonis/Lila DIR,,PM-LAB-DV1,C:/Lila,Y FLAG,ATTACH,My Flag,PERSONAL DIR,PM-LAB-DV1,C:/Lila,Y FLAG,MAKE_GLOBAL,MyFlag,PERSONAL,Varonis/Lila FLAG,MAKE_GLOBAL,MyFlag,PERSONAL FLAG,MAKE_GLOBAL,MyFlag,PERSONAL,,#FF0000 FLAG,CHANGE_COLOR,MyFlag,PERSONAL,,#FF0000,# FLAG,CHANGE_COLOR,MyFlag,PERSONAL,,,#

Chapter 5 COMMON ACTIVITIES Clearing Follow-Up Indicators This procedure describes how to clear all follow-up indicators on a specific entity. Do as follows: Select the relevant view.

161 Chapter 5 COMMON ACTIVITIES Clearing Follow-Up Indicators This procedure describes how to clear all follow-up indicators on a specific entity. Do as follows: Select the relevant view. Locate the required entity. To clear all follow-up indicators to entities attached by other DatAdvantage users, rightclick the selected entity, and from the context menu, and select Follow Up > Clear All Users' Follow-Up Indicators. All other users' follow-up indicators (tags, global flags, and notes) that were set on that entity are cleared. Note: This option is displayed only if the user is defined as an Enterprise Manager. 4. To clear all your own follow-up indicators on a specific entity, right-click the entity, and from the context menu, and select Follow Up > Clear All My Follow-Up Indicators. All your follow-up indicators that were set on that entity are cleared. Managing Flags Flags can be defined as personal, for only the specific user who implements them, or as global, for all users. Flags can be used in searches and filters, but only global flags may be used in report and log filters. Only users specified by the administrator can create new global flags. Other users are free to attach global flags to the entities they are interested in. 152

162 Chapter 5 COMMON ACTIVITIES If a global flag is changed to personal or deleted, it becomes a personal flag for all other users that have implemented it. If a personal flag is changed to global, all users will see all instances of it. Multiple flags of each type (global and personal) can be set on a single entity. Attaching Follow-up Flags to Entities To attach a follow-up flag to an entity: Select the relevant view. Locate the required entity. Right-click the selected entity, and from the context menu, select Follow Up. 4. From the submenu, select the relevant flag. The relevant icon is displayed to the left of the entity. 5. Select the relevant inheritance option from the flag's submenu: Apply to this object only Apply to all child objects Note: If a flag is set to only the current object and you want to apply it to the child objects, you must first clear the flag from the current object and then reapply it to all child objects. 6. To set a defined flag that does not appear in the list, select More from the submenu. The Manage Flags dialog box is displayed. 153

163 Chapter 5 COMMON ACTIVITIES 7. Select the flags to be attached to the entity. 8. Click OK. The flag's icon is displayed to the left of the entity. Inheriting Flags If a flag is set to only the current object and you want to apply it to the child objects, you must first clear the flag from the current object and then reapply it to all child objects. This option is not relevant for virtual groups. Since users cannot be added to virtual groups, such groups cannot have child objects; therefore, such inheritance is not relevant. Virtual groups include: Everyone, ANONYMOUS, LOGON, Authenticated Users, Terminal Server Users, Other, Default. To set a flag to be inherited by an entity's child objects: Select the relevant view. Locate the required entity. Right-click the selected entity, and from the context menu, select Follow Up. 4. Select Flags from the submenu. 154

164 Chapter 5 COMMON ACTIVITIES 5. Select More from the submenu. The Manage Flags dialog box is displayed. 6. On the Manage Flags dialog box, select the Inherited checkbox for that flag. 7. Click OK. The flag is now inherited by the current object's child objects. Clearing Inheritance on Entities Flags that are inherited from parent objects to which the flags are still attached cannot be cleared. To clear inheritances on an entity: Select the relevant view. Right-click the relevant entity, and from the context menu, select Follow up. Select Clear All Follow-Up Icons. All the flags that were set on that entity and inherited by its child entities are cleared. Clearing Global and Personal Flags This procedure describes how users can clear their global and personal flags. Additionally, users assigned to the Enterprise Manager role can clear global flags to entities attached by other DatAdvantage users. To clear a follow-up flag from an entity: Select the relevant view. Locate the required entity. Right-click the selected entity, and from the context menu, select Follow Up > Flags. 4. From the submenu, select the flag (it should be set). The flag is cleared. 5. To clear a defined flag that does not appear in the list, right-click the selected entity, and from the context menu, select Follow Up > Flags > More. The Manage Flags dialog box is displayed. 6. Select the flags to be cleared from the entity. 155

165 Chapter 5 COMMON ACTIVITIES Note: Users assigned to the Enterprise Manager role will see their flags (personal and global) and other users' global flags. Users not assigned to the Enterprise Manager role will see their flags (personal and global) and other users' global flags. 7. a. To select specific flags, select the checkbox to the left of the flag. b. To select all flags, click the Select All button. c. To uncheck all flags, click the Clear All button. Click OK. Managing Tags Tags are keywords or terms that help describe the selected entity. Tags are always global, and can be used in searches and filters. They cannot be deleted. Multiple tags can be set on a single entity. Attaching Follow-up Tags to Entities To attach a follow-up tag to an entity: Select the relevant view. Locate the required entity. Right-click the selected entity, and from the context menu, select Follow Up. 4. From the submenu, select the relevant tag. The relevant icon is displayed to the left of the entity. 156

166 Chapter 5 COMMON ACTIVITIES 5. Select the relevant inheritance option from the tag's submenu: Apply to this object only Apply to all child objects Note: If a tag is set to only the current object and you want to apply it to the child objects, you must first clear the tag from the current object and then reapply it to all child objects. 6. To set a defined tag that does not appear in the list, select More from the submenu. The Manage Tags dialog box is displayed. 7. Select the tags to be attached to the entity. 8. To add a new tag: a. Click Add. A new row is added to the grid. b. Click the row and set the tag's properties as necessary. The tag's name is limited to 50 characters. 157

167 Chapter 5 COMMON ACTIVITIES 9. To set a tag to be inherited by the entity's child objects, select the Inherited checkbox for that tag. 10. Click OK. The tag's icon is displayed to the left of the entity. Clearing Tags from Entities This procedure describes how users can clear a tag from an entity. Additionally, users assigned to the Enterprise Manager role can clear tags to entities attached by other DatAdvantage users, including entities attached by other users also assigned to the Enterprise Manager role. To clear a tag from an entity: Select the relevant view. Locate the required entity. Right-click the selected entity, and from the context menu, select Follow Up > Tags. 4. From the submenu, select the tag that is set. The tag is cleared. 5. To clear a tag that does not appear in the list, or to clear multiple tags at once, select Follow Up > Tags > More. The Manage Tags dialog box is displayed. 158

168 Chapter 5 COMMON ACTIVITIES Select the tags to be cleared from the entity. a. To select specific tags, select the checkbox to the left of the tag. b. To select all tags, click the Select All button. c. To uncheck all tags, click the Clear All button. Click OK. Inheriting Tags If a tag is set to only the current object and you want to apply it to the child objects, you must first clear the tag from the current object and then reapply it to all child objects. To set a tag to be inherited by the entity's child objects: Select the relevant view. Locate the required entity. Right-click the selected entity, and from the context menu, select Follow Up. 4. Select Tags from the context menu. 5. Select More from the context menu. The Manage Tags dialog box opens. 6. Select the Inherited checkbox for that tag. 7. Click OK. The tag's icon is displayed to the left of the entity. Clearing Inheritance on Entities Tags that are inherited from parent objects to which the tags are still attached cannot be cleared. To clear all follow-up tags on an entity: Select the relevant view. Locate the required entity. 159

169 Chapter 5 COMMON ACTIVITIES Right-click the selected entity, and from the context menu, select Follow Up. 4. Select Clear All Follow-Up Icons. All the flags that were set on that entity and inherited by its child entities are cleared. Managing Notes Notes are free-text comments that are defined by individual users on specific entities. However, while they are defined by users (as opposed to administrators), they are global and can be viewed and edited by all users. Because notes can be edited by anyone, each note includes the time at which it was last edited and the name of the user who made the change. Only one note may be defined on an entity at a time. Notes can be used in searches but not in filters. Setting Notes for Follow-Up To set notes for follow-up: Select the relevant view. Locate the required entity. Right-click the selected entity, and from the context menu, select Follow Up. 4. From the submenu, select Note. The Add/Edit Note dialog box is displayed. 5. Type the text of the note in the text box. The text is limited to 500 characters. 6. Click OK. The note is added to the entity. Removing Notes from Entities If a note is removed from an entity, it is no longer available for any user. To remove a note: Select the relevant view. Locate the required entity. 160

170 Chapter 5 COMMON ACTIVITIES Right-click the selected entity, and from the context menu, select Follow Up. 4. From the submenu, select Notes. The Add/Edit Note dialog box is displayed. 5. Click Remove. The note is removed from the entity and the dialog box is closed. 6. Alternatively, you can perform a general removal process which removes all notes together with all follow-up indicators (flags and tags) on the selected entity. Do as follows: To remove all global follow-up indicators for all users (including yours), select Follow Up > Clear All Users' Follow-Up Indicators. To remove all your follow-up indicators only, select Follow Up > Clear All My Follow-Up Indicators. Setting Entities as Included or Excluded from Analysis Administrators can define a list of entities that IDU Analytics will not take into consideration, so that no recommendations will be generated for the entities or their permissions. However, the entities are still monitored by DatAdvantage in every other way: they are considered when statistics are calculated, events are gathered for them, and so on. Several groups are predefined as excluded during installation. The list of excluded users is easily configurable and can be changed on the fly, both through the Management Console and during daily work in DatAdvantage (see the Management Console User Guide. Note: If you set an entity to included or excluded, the change takes effect either after the nightly run of ADWalk and PullWalk, or after these jobs are run manually. 161

Chapter 5 COMMON ACTIVITIES To set an entity as included or excluded: Select the Recommended Users and Groups pane. Locate the required entity.

If you set an entity as included, it is automatically added to the Exclude list available in the configuration window.

171 Chapter 5 COMMON ACTIVITIES To set an entity as included or excluded: Select the Recommended Users and Groups pane. Locate the required entity. Right-click the selected entity, and from the context menu, select Include in Analysis or Exclude from Analysis, as relevant. If you set an entity as included, it is automatically added to the Exclude list available in the configuration window. If you set an entity as monitored, it is automatically removed from the Exclude list. Working with Lists and Tables You can manipulate lists and tables to reach the data you need. See the following: Sorting Lists and Tables by Column Grouping Lists and Tables by Column Ungrouping Lists or Tables Sorting Lists and Tables by Column To sort a list or a table by a specific column: Click the column's heading. The table is sorted by the column. A triangle is displayed next to the column's header, to indicate the table is sorted by that column. The sort order (ascending or descending) is indicated by the direction of the triangle. Grouping Lists and Tables by Column The Group by Column option enables you to group list or table data according to a specific column. To group list or table data according to a specific column: Click the column header. Drag the column headings to the area above the list or table marked Drag a column header here to group by that column. The list or table is grouped. 162

Chapter 5 COMMON ACTIVITIES Drag additional column headings to group the data hierarchically.

column by which the data has been grouped. Drag it away from that area. When you release the mouse button, the list or table is ungrouped.

To view the history of a deleted entity: Select the relevant view.

172 Chapter 5 COMMON ACTIVITIES Drag additional column headings to group the data hierarchically. Ungrouping Lists or Tables To ungroup lists or tables that have been grouped by a specific column: Above the list or table, click the name of the column by which the data has been grouped. Drag it away from that area. When you release the mouse button, the list or table is ungrouped. Viewing History of Deleted Entities DatAdvantage enables you to view the history of all entities, even if they have been deleted from the system. To view the history of a deleted entity: Select the relevant view. Statistics Logs Select the relevant entity pane (either Directories or Users & Groups). In the pane, click the History button. If the button is not visible, click the Expand arrow and select History from the context menu. The entity pane hides all the entities currently in the system, and displays a calendar area. 163

Chapter 5 COMMON ACTIVITIES Note: When searching for the name of a deleted entity in the Statistics view, the percent sign (%) can be used as a wildcard; for example, %leg%; %leg; leg%.

173 Chapter 5 COMMON ACTIVITIES Note: When searching for the name of a deleted entity in the Statistics view, the percent sign (%) can be used as a wildcard; for example, %leg%; %leg; leg%. The percent sign may not be used between letters. 4. Set the historical timeframe as relevant. 5. Click Search. All entities that existed during the selected timeframe are displayed. 6. Select the required historical entity. Viewing Entity Properties DatAdvantage enables you to access the standard real-time properties for entities (users, groups and directories) located on Windows and Unix machines. Important: Changes you make through these dialog boxes are implemented immediately in the real environment. To view entity properties: Locate the required entity. Right-click the entity, and from the context menu, select Properties. The entity's properties are displayed. Opening the Management Console To open the Management Console from within DatAdvantage: Select Tools > Management Console. The Management Console is opened. Advanced Searching Advanced search capabilities are available in several views and products throughout the Metadata Framework. Accessing Advanced Search Criteria To access the advanced search criteria: In the Logs view, click Switch to advanced mode. In the Reports view, click Show Search, or click the show/hide bar in the Viewer. 164

Chapter 5 COMMON ACTIVITIES Selecting the Data Source To select the data source: In the Logs view, select the relevant option from the Show data from drop-down list: File system events History of

174 Chapter 5 COMMON ACTIVITIES Selecting the Data Source To select the data source: In the Logs view, select the relevant option from the Show data from drop-down list: File system events History of differences - To view historical data All - To view both file system events and history Setting the Time Frame for a Search The default date range is one week before the current date, up to the current date. To set the time frame for a search: In the From field: a. Click the arrow, and select the beginning date of the time frame from the calendar. b. Click the hour and minutes in the From field to set them as necessary. In the To field: a. Click the arrow, and select the ending date of the time frame from the calendar. b. Click the hour and minutes in the To field to set them as necessary. The time frame for the activity is set. Selecting a Search Mode DatAdvantage provides two advanced search modes: Filter mode - The default mode. Use this mode to add grouping criteria (AND/OR expressions) and filtering criteria (entities, actions or other properties). Sort mode - Use this mode to sort the search results by the predefined columns of the resulting table. To select the required search mode: On the Advanced Search toolbar, click Filter or Sort By, as relevant. Adding Grouping Criteria In Filter mode, you may add as many grouping criteria (AND/OR statements) as you want to the search expression. There are two ways to add groups: through the toolbar, or through the context menu. 165

Chapter 5 COMMON ACTIVITIES To add a group through the toolbar: Be sure you are working in Filter mode. On the Advanced Search toolbar, click New Group.

To add a group through the context menu: Right-click an existing group. From the context menu, select New Group.

175 Chapter 5 COMMON ACTIVITIES To add a group through the toolbar: Be sure you are working in Filter mode. On the Advanced Search toolbar, click New Group. From the submenu, select the type of grouping expression to be added: Any of (OR) All of (AND) The group is added to the search criteria. To add a group through the context menu: Right-click an existing group. From the context menu, select New Group. From the submenu, select the type of grouping expression to be added: Any of (OR) All of (AND) The new group is nested within the original group. Nesting Groups and Filters By default, new groups and filters are added to the currently active group, which is indicated by a blue bar. Filters can only be nested within groups; they cannot be nested within other filters. To nest a group or filter statement within an existing group: Select the group that is to be the parent group. Add the new statement, either through the toolbar or through the context menu. The new statement is nested within the parent group. Adding Filters In Filter mode, you may add as many filters as you want. In the Reports view, the filters are equivalent to the headings of the report columns (with the exception of the User Access Log report, which is, in effect, a log). In the Logs view, the filters are specially-defined categories. 166

Chapter 5 COMMON ACTIVITIES To add filters: Be sure you are working in Filter mode. On the Advanced Search toolbar, click New Filter; alternatively, right-click the parent group and select New Filter.

176 Chapter 5 COMMON ACTIVITIES To add filters: Be sure you are working in Filter mode. On the Advanced Search toolbar, click New Filter; alternatively, right-click the parent group and select New Filter. The filter is added to the search criteria, with an AND operator. Defining Filter Attributes To define a filter's attributes: Next to each filter row, click the Browse button or open the drop-down list to select the values required for the filter attribute. Note: Grayed out fields are mandatory. Changing Operators To change the operator in a statement: Right-click the operator for the relevant filter, and select the required operator from the context menu. Changing the Type of an Existing Group or Filter You can change the type of an existing group or filter on the fly, without changing its position in the overall expression. To change the type of an existing statement: Right-click the relevant statement. For groups, select the relevant option from the context menu: All of (AND) Any of (OR) For filters, select the relevant option from the context menu and its submenus. (See Metadata Framework Reports Guide for a description of available report filters.) Note: For reports, other filter options may be displayed depending on the Active Directory properties that are defined in the system. The type is changed. Including and Excluding Groups from the Filter When you are working with a report that deals with groups, you can easily set groups to be included or excluded from the filter. 167

Chapter 5 COMMON ACTIVITIES To include or exclude a group from the filter: Right-click the parent filter and select New Filter. The Group Name filter is added.

177 Chapter 5 COMMON ACTIVITIES To include or exclude a group from the filter: Right-click the parent filter and select New Filter. The Group Name filter is added. Right-click the Group Name filter and select Include/Exclude Groups. The Group Name filter is changed to Include/Exclude Groups, and an Include filter is nested within it. Click the Browse button to select the required group. 4. To add an Exclude Groups filter, right click the Include/Exclude Groups filter again and select New Exclude Group. 5. Continue adding filters as required. Removing Groups or Filters To remove a group or filter statement from the search expression: Select the checkbox of the relevant statement. On the Advanced Search toolbar, click Remove Selected. Capping the Search Results The cap mechanism prevents executing searches or rules whose results may have a dramatic impact on the Metadata Framework, in terms of storage, performance, and so on. By default, the cap mechanism is disabled, and should be configured only with assistance from Varonis Support. Underlying Technology Based on the SQL Server Resource Governor, the mechanism enables database administrators to manage SQL Server workload and critical system resource consumption. When the cap mechanism is configured, one or both of the following keyvalues is set to a value greater than 0: MaxAllowedCost - Set to configure the cap mechanism for logs and reports MaxAllowedCostDCF - Set to configure the cap mechanism for the DCF The values represent the top time or size threshold permitted for generating the report or log, or executing the DCF rule on which it is set. Once the values are set, they apply to all queries run in the system. Once it is configured, users may enable or disable the cap mechanism as needed by clicking the Cap button in the Advanced Search pane or the DCF Rule dialog box. (This button is only displayed when the relevant keyvalue is set to be greater than 0.) 168

178 Chapter 5 COMMON ACTIVITIES To cap the search results: In the Advanced Search pane, click Cap. Generate the report or log as usual. If the result set exceeds the threshold defined by the cap, it is not generated and a message is returned. The mechanism stops creation of the report or log, or execution of the rule, as soon as it recognizes that the defined caps have been or will be exceeded. Keep in mind, therefore, that the execution may already be in progress when the cap mechanism stops it. If this happens, refine your search criteria to produce a result set that remains within the threshold. For example, set a shorter time period for the search, restrict the query to only specific folders or file servers, select specific users, and so on. 4. Execute the search or the rule again. Saving Defined Searches DatAdvantage enables you to save all the criteria you have defined for a particular search in an XML file, so that you can create templates of searches you perform on a regular basis. To save a defined search: On the Advanced Search toolbar, click Save/Load > Save As or Import/Export Filter > Export to File, as relevant. Save the search according to standard Windows procedures. Loading Defined Searches To load a saved search: On the Advanced Search toolbar, click Save/Load > Load or Import/Export File > Import from File as relevant. Locate the required search according to standard Windows procedures and click Open. The search is loaded. Resetting the Advanced Search Criteria To reset the advanced search criteria: In the Advanced Search pane, click Reset. All defined search criteria, including filtering, sorting and grouping options, are cleared and the basic advanced search framework is restored. In report templates, this button resets the displayed filter to the filter last saved with the template. 169

179 6 WORK AREA The DatAdvantage Work Area provides greater visibility to data and the effective rights users have to that data on the network. This area also displays a virtual view of user and group rights, based on recommendations made by IDU Analytics or changes made manually by the administrator. The representation of data in this area allows for direct comparison between the permissions currently associated with users and groups, and DatAdvantage recommendations made after analyzing and classifying actual data usage in the environment. Administrators can see the recommendations for removing or adding access rights to directories and files, and editing user and group relationships before committing the changes in the Active Directory environment. The Work Area comprises the following panes: Existing Users and Groups - Hidden by default, but can be displayed by clicking the Show/Hide button Directories Recommended Users and Groups Errors Understanding the Work Area DatAdvantage displays permissions in a number of ways, depending on whether the entity you select (the current active entity) is a user, group or directory. 170

180 Chapter 6 WORK AREA Current Active Entity Permission Indications Existing user or group In the Directories pane: Color-coding: Green - The active entity has permissions for the directory or file. Yellow - The active entity does not have (and never had) permissions for the directory or file. Permissions column - Displays the specific permissions for the active entity. Explanations column - Provides further information about the permissions granted to the selected user or group. Recommended user or group In the Directories pane: Color-coding: Green - The active entity has permissions for the directory or file. Yellow - The active entity does not have (and never had) permissions for the directory or file. Red - It is recommended to remove or modify the active entity's permissions to the directory or file. Permissions column - Displays the specific permissions for the active entity. Explanations column - Provides further information about the permissions granted to the selected user or group. 171

181 Chapter 6 WORK AREA Current Active Entity Permission Indications Directory In the Existing Users and Groups list: Displays the actual permissions of each entity on the directory or file. In the Recommended Users and Group list: Displays the recommended permissions of each entity on the directory or file, as follows: Exclamation point - Indicates an error exists Refresh symbol - A change has been made Plus sign - Permissions have been added X - Permissions have been removed I - Indicates related problem or information No access sign - May indicate a problem with permissions Permissions column - Color-coding indicates specific permissions that have been added or removed: Green - Permissions that the administrator has added Red - Permissions that have been removed, or that DatAdvantage recommends removing Viewing Permissions While the procedure for viewing permissions is the same throughout the Work Area, the actual display of permissions depends on the type of entity you have selected (that is, the current active entity). To view the permissions a user or group actually has for a specific directory: Select the Work Area. In the Directories pane, locate the relevant entity. Select the required Users and Groups list (click the Show/Hide button to display the Existing Users and Groups list if it is hidden). 4. In the selected Users and Groups list, locate the required entity. 5. Double-click the name of the entity. The entity's permissions are displayed. 172

182 Chapter 6 WORK AREA The File System Permissions column displays permissions as follows: 173

183 Chapter 6 WORK AREA Resource Type Display Windows Standard Windows permissions: F - Full Control M - Modify R - Read W - Write L - List folder contents X - Read and execute Unix Standard Unix permissions: Owner R - Read W - Write X - Execute Group R - Read W - Write X - Execute Other (represented as "Everyone") R - Read W - Write X - Execute On-premises SharePoint/SharePoint Online/OneDrive Standard SharePoint permission levels: Full Control Design Contribute Read Limited Access View Only Add Items (Anonymous) - Onpremises SharePoint only Edit Items (Anonymous) - On-premises SharePoint only Delete Items (Anonymous) - Onpremises SharePoint only View Items (Anonymous) - Onpremises SharePoint only Entire Web site (Anonymous) - Onpremises SharePoint only Lists and libraries (Anonymous) - Onpremises SharePoint only Guest Link Edit (Anonymous) SharePoint Online and OneDrive only Guest Link View (Anonymous) SharePoint Online and OneDrive only 174

184 Chapter 6 WORK AREA Resource Type Display On-premises Exchange/Exchange Online Standard Exchange mailbox permissions: Full Access Send As Send On Behalf Standard Exchange sharing permission levels: None Owner Publishing Editor Editor Publishing Author Author Nonediting Author Reviewer Contributor None Directory services Standard role names related to each entity, such as Full Control, Read, Write, Special Permissions If you are working with a directory or directory service object, you may find that the permissions are displayed in parentheses. This indicates Deny permissions. For POSIX ACLs, lowercase letters indicate that the permission has been granted, but is masked; in effect, this means the permission does not exist. Note: It is recommended that, in the ordinary course of work, you check the permissions of the protected and unique directories (those whose folder icon is decorated with a person). In general, all other directories (that is, those that are not unique) inherit their permissions from the unique parent, and are therefore color-coded the same way the parent directories are. However, on NTFS, permissions can be set for only a specific directory, or to a specified set of sub-directories. This means there may be unique directories whose color-coding is different than the directories from which they inherited, since they have different permissions. 175

185 Chapter 6 WORK AREA Viewing Permission Sources The Explanations column of the Work Area displays the aggregated effective permissions for the selected user or group. It is limited to displaying only one of the groups from which any of the effective permission masks are inherited. However, the Permission Sources window displays highly detailed permission data. Specifically, it lists all the groups from which a permission mask is inherited, along with the root folder of the inheritance. The window displays the following data related to permissions: Note: For deleted users, the user name is displayed in the Permission Sources window. NTFS-based platforms: Detailed inheritance SharePoint/SharePoint Online/OneDrive: The site in which the current and recommended permission levels are defined The site collection administrators group permission and root folder Unix: Permission type Root user permission Exchange/Exchange Online: Permission type The mailbox folder from which mailbox permissions are inherited Directory service objects: Detailed inheritance of permission roles Important: If a particular role has one ACE in one row and other ACEs in other rows (due to different flags or inheritance sources), full details are displayed in the header. This display is only available for roles that are Read/Write for property sets. It is not available for generic roles. To view permission sources: Select the Work Area. In the selected Users & Groups list, locate the required entity. Double-click the name of the entity. The entity's permissions are displayed. 4. In the Directories pane, locate the relevant entity. 5. Right-click and select Permission Sources. The Permission Sources window is displayed. 176

Chapter 6 WORK AREA Viewing Permission Sources Causing Access Errors This window enables users to view permission sources that are causing access errors.

186 Chapter 6 WORK AREA Viewing Permission Sources Causing Access Errors This window enables users to view permission sources that are causing access errors. It is shown only if there are edited permissions causing access errors for a user/computer. To view permission sources causing access errors: Select the Work Area. In the Expected Access Errors pane, expand the relevant item and select the Membership Changed/Permission Changed link. The Permission Sources window is displayed. Click the Permission Sources Causing Access Errors tab. 4. Refer to the following: Access Path with Permission Change - The path of the folder or special file on which the permission source has unique permissions. Permission Source - The source through which the user has permissions on the folder and on which an editing command exist. 177

187 Chapter 6 WORK AREA Time of Permission Change - The date and time of when the DA user/system editing action occurred (based on IDU server time). Change By - The name of the user who created the editing command. Current Permissions via Source - The current permission the entity has on the folder in the Admin Set but only through this source. Current Flags via Source - The current permission flags the entity has on the folder in the Admin Set but only through this source. Recommended Permissions via Source - The recommended permission the user has on the folder in the Existing Set but only through this source based on the displayed editing command. Recommended Flags via Source - The recommended permission the user has on the folder in the Existing Set but only through this source. Change Description - A description of the permission change. Viewing Recommendations While the procedure for viewing recommendations is the same throughout the Work Area, the actual display of recommendations depends on the type of entity you have selected (that is, the current active entity). To view the recommendations that have been made for a user, group, directory or file: Note: This has no relevance for directory service probing. Select the Work Area. In the Directories pane, locate the relevant entity. In the Recommended Users and Groups list, locate the required entity. 4. Double-click the name of the entity. The entity's recommendations are displayed. Managing Permissions Editing Permissions on Windows Directories and Files To adjust the permissions granted to a user or a group on a Windows machine: Select the Work Area. Locate the relevant directory or file. Double-click the directory or file to display its permissions. 178

Chapter 6 WORK AREA 4. In either the Directories pane or the Recommended Users and Groups list, locate the entity whose permissions you want to edit. 5.

188 Chapter 6 WORK AREA 4. In either the Directories pane or the Recommended Users and Groups list, locate the entity whose permissions you want to edit. 5. Right-click the entity, and from the context menu, select Edit Permissions. The Properties dialog box is displayed. Important: This is not Microsoft's standard Permissions dialog box. Changes made here do not affect the real environment until they are actually committed. 6. In the Group or User Names area, select the group or user whose permissions you want to edit. 7. In the Permissions For area, select the permissions to be added to the entity, and clear the permissions to be removed from the entity. The changes you make are marked in green and red, to indicate added and removed permissions respectively. Each change you make automatically results in changes to other permissions in the virtual sandbox. For example, if a user had full control permissions on file, and you choose to deny the user write permissions, the Full Control, Modify and Write options are automatically cleared in the Allow column. Note: If you add permissions to a directory or file whose permission type is Inherited, the permission type becomes Unique. 8. To define special permissions and advanced settings, click Advanced. The Advanced Security Properties dialog box is displayed. 179

189 Chapter 6 WORK AREA a. To add a permission entry to the entity, click Add and define the permissions as relevant. b. To edit an existing permission entry: Click Edit. The Permission Entry For dialog box is displayed. From the Apply to drop-down list, select the objects to which the permissions will be applied. To apply these permissions to objects or containers within the current container, select the relevant checkbox at the bottom of the dialog box. 180

Chapter 6 WORK AREA 4. To clear all permissions, select Clear All. 5. Click OK. c. To remove a permission entry, select the relevant entry and click Remove. d. Click OK. The Advanced Security Properties dialog box is closed.

190 Chapter 6 WORK AREA 4. To clear all permissions, select Clear All. 5. Click OK. c. To remove a permission entry, select the relevant entry and click Remove. d. Click OK. The Advanced Security Properties dialog box is closed. 9. In the Properties dialog box, click OK. The dialog box is closed. After the views are refreshed, the changes in the entity's permissions are indicated as follows: Exclamation point - Indicates an error exists Refresh symbol - A change has been made 10. Synchronize the system. Editing Permissions on Unix Directories and Files To adjust the permissions granted to a user or a group on a Unix machine: Select the Work Area. Locate the relevant directory or file. Double-click the directory or file to display its permissions. 4. In either the Directories pane or the Recommended Users and Groups list, locate the entity whose permissions you want to edit. 5. Right-click the entity, and from the context menu, select Edit Permissions. The Properties dialog box is displayed. 181

191 Chapter 6 WORK AREA 6. On the Permissions tab, do the following as necessary: Owner - This field displays the entity's current owner. To change the owner, click Change and select the required owner from the Active Directory dialog box. Owner Group - This field displays the owner group that has a relationship with the entity. To change the owner group, click Change and select the required owner group from the Active Directory dialog box. Permissions - In the Permissions area, select the permissions to be added to the entity, and clear the permissions to be removed from the entity. The changes you make are marked in green and red, to indicate added and removed permissions respectively. Each change you make automatically results in changes to other permissions in the virtual sandbox. Protection - In the Protection area, select various options to allow users to temporarily assume the permissions of the folder's owner or owner group. Set UID - Select to allow users to assume the owner's user ID for the folder. Set GID - Select to allow groups to assume the owner group's ID for the folder. Sticky Bit - Select to allow files within the folder to be renamed or deleted only by the file's owner, the folder's owner, or a superuser. Note: If you add permissions to a directory or file whose permission type is Inherited, the permission type becomes Unique (see Adding Protection to a Directory or File). In addition, you can revert to the previous owner or group, or change the existing owner or group. 182

Chapter 6 WORK AREA 7. On the Access Control List tab, define POSIX ACLs as follows: a. In the Mask area, set the default Read, Write and Execute permissions for the User, Group and Other masks. b.

192 Chapter 6 WORK AREA 7. On the Access Control List tab, define POSIX ACLs as follows: a. In the Mask area, set the default Read, Write and Execute permissions for the User, Group and Other masks. b. In the Extended area, click Add to add specific users or groups and set their permissions. c. To remove a user or group from the POSIX ACL, select its row in the Extended area and click Remove. 8. Click OK. Editing Permissions and Permission Levels in On-Premises SharePoint and SharePoint Online Note: The following information is also relevant for OneDrive. Adding Permission Levels to On-Premises SharePoint and SharePoint Online Directories and Files This operation adds a permission level to a site. The scope of the permission level includes the site and all its descendants (except for sites with protected permission levels and their descendants). Once the permission level is added, it can be assigned to users on items in the scope. Permission levels can only be added to sites with protected permission levels. Two permission levels cannot have the same name. You can restore a permission level that was previously deleted. This undoes the Remove Permission Level command. Names are not case-sensitive. 183

193 Chapter 6 WORK AREA Removing Permission Levels This operation removes the permission level from the site. This operation removes all the ACEs with the permission level in the scope of the permission level. The permission level cannot be assigned to users after it is removed. You can only remove permission levels from sites with protected permission levels. If the permission level is removed and then restored, the ACEs that were deleted should also be restored, and the Remove Permission Level command is cancelled. Effect on previous commands: Removing a permission level that was added and has not been committed yet deletes the Add Permission Level command. Previous Change Permission Level Name, Description or Mask commands on this permission level are deleted. Previous Add Assignment commands referencing this permission level are deleted. Previous Remove Assignment commands referencing this permission level are deleted. Limited Access, Full Control and Anonymous permission levels cannot be removed. Changing Permission Level Name This operation changes the permission level name. It has no affect on the permissions themselves. Limited Access, Full Control and Anonymous permission levels cannot be changed. You cannot change the name of a permission level you previously removed. Names are not case-sensitive. Changing Permission Level Description This operation changes the permission level description. It has no affect on the permissions themselves. Limited Access, Full Control and Anonymous permission levels cannot be changed. You cannot change the description of a permission level you previously removed. Changing Permission Level Access Mask This operation changes the permission level access mask. The access mask cannot be empty. Limited Access, Full Control and Anonymous permission levels cannot be changed. You cannot change the mask of a permission level you previously removed. Adding Permissions This operation adds permissions to a user or group for an entity. It creates Limited Access assignments for the user in all parent-protected items up to the first protected site (if they do not already exist). You cannot assign the Limited Access permission level directly. You cannot assign permission levels to the Site Collection Administrators group. 184

194 Chapter 6 WORK AREA You can assign anonymous permission levels only to sites and lists (not to children of lists). For sites and document libraries you can only add the View (Anonymous) permission level. DatAdvantage only supports lists of the Document Library type. For the Anonymous user, Limited Access ACEs are not created. You cannot assign a deleted permission level. You can restore deleted permissions or an entire user. This cancels the Remove Assignment command and restores the deleted ACEs. Removing Permissions This operation removes permissions from a user on an item. There are two modes for this operation: Remove a single regular permission - Simple mode, in which only the permission is removed. Remove all a user's permissions - Complex mode. This operation removes all the permissions for this user in child items down to protected sites. Removing the last permission level on an item from a user also removes the entire user. This does not apply to the Anonymous user. Removing a permission that was added but not committed removes the permission and cancels the Add Permission command. You can remove the anonymous permissions from sites and lists. You cannot remove the Full Control permission level from the Site Collection Administrators group. Changing Protection or Inheritance This operation can be performed in the following modes: Add protection with copy permissions. Add protection without copy permissions. Remove protection (inherit permissions). The operation marks the item as protected and copies all the assignment from the protected parent. Adding Protection with Copying Permissions Anonymous permissions are not copied when adding protection to descendants of lists (only to lists and subsites). Adding protection to an item inside a list that has anonymous permissions does not copy the anonymous permissions. 185

195 Chapter 6 WORK AREA Adding Protection without Copying Permissions This operation marks the item as protected but does not copy the permission from the protected parent item. There are two exceptions to this: The Site Collection Administrator Full Control ACE is still copied. Anonymous permissions are still copied for lists and subsites. All the ACEs in descendant items are deleted down to the protected sites. This operation is not supported from SharePoint web interface. Removing Protection (Inheriting) This operation marks the item as inherited. When removing protection from a site, all the descendant protected items also become inherited, down to the protected sites. Effect on previous commands - When protection is removed from a site: Add/Remove Protection commands in the operation scope are deleted. Add/Remove Permission commands in the operation scope are deleted. Protecting Permission Level Definitions This operation breaks the inheritance of permission level definitions and copies the permission levels from the protected permission levels parent site, and the permissions from the protected parent site. All the ACEs on descendant items that used the old permission levels are modified to point the new permission levels. Permission level definitions can only be on sites. If the site was inherited it becomes protected. Permissions and access stay the same. Caution: This operation might cause data corruption on SharePoint versions earlier than service pack Inheriting Permission Level Definitions This operation resets the inheritance of permission level definitions, and removes the permission level definitions from the site. All the protected descendant items of the site down to the protected permission level sites and the site itself become inherited. You cannot inherit permission level definitions in the site collection root site. Caution: This operation might cause data corruption on SharePoint versions earlier than service pack Effect on previous commands - When inheriting permission levels of a site: Add/Remove/Change Permission Level commands in the site are deleted. Add/Remove Protection commands in the operation scope are deleted. Add/Remove Assignment commands in the operation scope are deleted. 186

Chapter 6 WORK AREA Editing On-Premises SharePoint and SharePoint Online Permissions Note: The following procedure is also relevant for OneDrive. To edit permissions: Select the Work Area.

196 Chapter 6 WORK AREA Editing On-Premises SharePoint and SharePoint Online Permissions Note: The following procedure is also relevant for OneDrive. To edit permissions: Select the Work Area. Locate the relevant site or subsite. In either the Directories pane or the Recommended Users and Groups list, locate the entity whose permissions you want to edit. 4. Right-click the entity, and from the context menu, select Edit Permissions. The Edit Permissions dialog box is displayed. 5. In the Group or User Names area, select the group or user whose permissions you want to edit. (To add a user or group, click Add and browse to the required entity.) 6. In the Permission Levels area, set the entity's permissions as follows: a. To add a permission level, click Add. The Select Permission Levels dialog box is displayed. 187

Chapter 6 WORK AREA Select the required permission level and click OK. The permission level is added to the b. entity. To remove a permission level from the entity, select it and click Remove.

197 Chapter 6 WORK AREA Select the required permission level and click OK. The permission level is added to the b. entity. To remove a permission level from the entity, select it and click Remove. The permission c. level is removed from the entity. Click OK. 7. Note: If you add permissions to a directory or file whose permission type is Inherited, the permission type becomes Unique. Editing On-Premises SharePoint and SharePoint Online Permission Levels Note: The following procedure is also relevant for OneDrive. Windows SharePoint Services includes five permission levels by default: Full Control Cannot be customized Contains a full access mask Limited Access Designed to be combined with fine-grained permissions to give users access to a specific list, document library, item, or document, without giving them access to the entire site Cannot be customized or deleted Cannot be assigned directly Read Can be customized and deleted Has a special permission level type in SharePoint Is automatically given to a site when protecting its permission levels, even when choosing to not copy the permission levels from the parent 188

198 Chapter 6 WORK AREA Contribute Can be customized and deleted Has a special permission level type in SharePoint Is automatically given to a site when protecting its permission levels, even when choosing to not copy the permission levels from the parent Design Can be customized and deleted Has a special permission level type in SharePoint Is automatically given to a site when protecting its permission levels, even when choosing to not copy the permission levels from the parent Anonymous Permissions levels Anonymous permission levels appear in DatAdvantage for all SharePoint objects (except for Web sites) as follows: View Items (Anonymous) Edit Items (Anonymous) Add Items (Anonymous) Delete Items (Anonymous) Anonymous permission levels appear in DatAdvantage for SharePoint Web sites as follows: Lists and libraries (Anonymous) Entire Web site (Anonymous) The following restrictions apply to anonymous permission levels: Sites can only be assigned with the View (Anonymous) permission level. Document libraries can only be assigned with the View (Anonymous) permission level. Sub-items of lists cannot be assigned with anonymous permission levels. Protected items of lists are never accessible to anonymous. For SharePoint sites that are monitored by DatAdvantage, you can customize the permissions available in these permission levels (except for the Limited Access and Full Control permission levels), or you can create new permission levels that contain specific permissions. Permission levels are inherited from the parent site. This means that to edit a site's permission levels, you must either edit the parent site, or break the inheritance. To edit permission levels: Select the Work Area. Locate the relevant site or subsite. In either the Directories pane or the Recommended Users and Groups list, locate the entity whose permissions you want to edit. 4. Right-click the entity, and from the context menu, select Edit Permission Levels. The Edit Permission Levels dialog box is displayed. 189

199 Chapter 6 WORK AREA 5. To add a permission level: a. Click Add. The Add Permission Level dialog box is displayed. b. Enter a name and a description for the permission level. c. Click OK. The permission level is added to the list at the top of the dialog box. 190

Chapter 6 WORK AREA 6. To edit a permission level: a. Select the relevant permission level from the list. Note: You cannot edit the five default permission levels. b.

200 Chapter 6 WORK AREA 6. To edit a permission level: a. Select the relevant permission level from the list. Note: You cannot edit the five default permission levels. b. In the bottom pane, select the permissions to be added to the permission level. You may select permissions from any of the following categories (see the descriptions in the dialog box for more information): c. List permissions Site permissions Personal permissions Click OK. The permissions are changed and marked as follows: Additional permissions are marked in green Removed permissions are marked in red Each change you make automatically results in changes to other permissions. For example, if you remove the View Pages permission, the Use Self-Service permission is automatically removed. 7. To remove permissions from a permission level: a. In the top list, select the relevant permission. b. Click Remove. After a change is made, the name of the changed permission level and an asterisk (*) are displayed when you click a user. These indications remain in place until the change to the permission level is either committed or undone. Editing Permissions and Permission Levels in Exchange Attention: DatAdvantage supports only manual editing for Exchange storage groups; it does not provide recommendations. 191

201 Chapter 6 WORK AREA In general, DatAdvantage displays Exchange permissions in an intuitive, user-friendly fashion. However, the following notes must be remembered: A special entity called SELF exists on each mailbox, representing the mailbox's owner. When a mailbox is double-clicked, SELF is displayed as an object in the Users & Groups list. When the actual owner name is double-clicked in a Users & Groups list, the SELF account is taken into consideration and added to the effective permissions. Exchange provides an ACL called None, to deny other users access to a particular mailbox. It should be noted that despite its name, this ACL allows people (specifically, the mailbox owners themselves) to access the mailbox. Note: Editing permissions and permission levels in Exchange Online is not supported. Editing Exchange Mailbox Permissions You can only edit mailbox permissions at the level of the mailbox itself. You cannot edit the permissions defined for a mailbox's folders, such as its inbox or its calendar. (However, sharing permissions may be edited for the mailbox's individual folders.) Note: Editing Exchange Online mailbox permissions is not supported. To edit mailbox permissions: Select the Work Area. In the Directories pane, locate the relevant mailbox. Right-click the mailbox and from the context menu, select Edit Permissions. The Permissions dialog box is displayed, with the Mailbox Permissions tab open. Note: You can access this dialog from the Users & Groups panes by clicking the name of the permission level associated with the entity, but in this case the dialog box is opened in read-only mode. 192

202 Chapter 6 WORK AREA 4. In the User or Group Names area, select the group or user whose permissions you want to edit. (To add a user or group, click Add and browse to the required entity.) 5. In the Permissions for User area, select the permissions to be added to the entity, and clear the permissions to be removed from the entity. The changes you make are marked in green and red, to indicate added and removed permissions respectively. Each change you make automatically results in changes to other permissions in the virtual sandbox. 6. Click OK. Editing Exchange Sharing Permissions Note: Editing Exchange Online sharing permissions is not supported. You may edit sharing permissions for an entire mailbox, for individual folders within the mailbox, or for public folders as necessary. To edit a mailbox's sharing permissions: Select the Work Area. In the Directories pane, locate the relevant mailbox. 193

Chapter 6 WORK AREA Right-click the mailbox or folder, and from the context menu, select Edit Permissions. The Permissions dialog box is displayed, with the Mailbox Permissions tab open.

203 Chapter 6 WORK AREA Right-click the mailbox or folder, and from the context menu, select Edit Permissions. The Permissions dialog box is displayed, with the Mailbox Permissions tab open. Note: You can access this dialog from the Users & Groups panes by clicking the name of the permission level associated with the entity, but in this case the dialog box is opened in read-only mode. 4. Select the Sharing Permissions tab. 194

Chapter 6 WORK AREA 5. In the upper area, select the group or user whose permissions you want to edit. (To add a user or group, click Add and browse to the required entity.

204 Chapter 6 WORK AREA 5. In the upper area, select the group or user whose permissions you want to edit. (To add a user or group, click Add and browse to the required entity.) The entity's permission level is indicated in the lower area. 6. Edit the entity's permissions as follows: To change the entity's permissions according to a built-in permission level, select the required permission level from the list. To create custom permissions for the entity, select or clear the permissions in the lower area as required. The changes you make are marked in green and red, to indicate added and removed permissions respectively. This markup is also used to indicate the differences if you change the built-in permission level associated with the entity. Each change you make automatically results in changes to other permissions in the virtual sandbox. 195

205 Chapter 6 WORK AREA 7. Click OK. Viewing Directory Service Permissions To view the permissions a directory service account has on an entity: Select the Work Area. In the Directories pane, locate the relevant entity. Right-click the entity and select View Permissions. The Security Properties window for the entity is displayed. 196

roles and ACEs that exist on that directory for the selected account. 4.

206 Chapter 6 WORK AREA If opened from the Directories pane, this window displays all ACLs that exist on the selected entity. If opened from the Users and Groups pane (following the selection of a directory service entity), this window displays only the roles and ACEs that exist on that directory for the selected account. 4. To view special permissions and advanced settings, click Advanced. The Advanced Security Properties window is displayed. This window displays all permission entries, or ACL trustees, that comprise the ACL. 197

Chapter 6 WORK AREA 5. To set the permission entries as inherited from their parent objects, select the option: Inherit permission entries from parent that apply to child objects.

207 Chapter 6 WORK AREA 5. To set the permission entries as inherited from their parent objects, select the option: Inherit permission entries from parent that apply to child objects. Include these with entries explicitly defined here. 6. To view more information about a permission entry, select it and click View. The Permission Entry window is displayed. 7. Select Apply these permissions to objects and/or containers within this container only as necessary. Managing Directories and Files Creating Groups with Permissions to Directories Before your first use of the Group Creation Wizard, configure the relevant settings on the Group Creation tab in the Management Console. Only users with the Commit/Edit role can create groups. Note: This feature is only available for Windows file servers. To create a new group with the permissions required for a directory: Select the Work Area. In the Directories pane, right-click the directory or file to which you want to add a user or group. Click Create New Group with Permissions. 198

208 Chapter 6 WORK AREA The Group Creation Wizard is displayed. 4. On the New Group page of the wizard, set the following properties for the group you want to create: Group path - Select the domain or OU in which to create the new group. Group name - Define a name for the new group. Group name (pre-windows 2000) - If necessary, define the SAM account name for the new group. Automatically populated when the Group name field is populated. Description - Enter a free-text description of the group, up to 1024 characters. Group scope - Determine the scope of the new group. Note: This pane is only visible for Active Directory 2000 and higher. Domain local - A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain in which the domain local group is located. Global - A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain. Universal - A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give 199

209 Chapter 6 WORK AREA universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not supported for Windows Group type - Determine whether the group is a security group or a distribution group. Note: Since distribution groups cannot be granted permissions, the distribution group option is only available if the wizard is started from the Recommended Users and Groups pane. 5. Click Next. The Members page is displayed. 6. To add members to the group, click Add and search for the required users in the Directory Services Search dialog box. Note: The entities available for selection are determined by the group scope you defined earlier. 7. For advanced options in adding members to the group, click one of the following: Note: The entities available for selection are determined by the group scope you defined earlier. Add members from other groups - (this option will only display groups) opens the Directory Services Search dialog box. 200

210 Chapter 6 WORK AREA Use the functionality to search for users from other groups and then select one of the following options in the Select which accounts are added area at the bottom: All selected accounts - All objects in Selected Entities will be added as direct members to the new group and will be shown in the Members pane in the Group Creation Wizard. All nested user and computer accounts - All user/computer members (direct and indirect) are copied from the selected groups to the Members pane in the Group Creation Wizard. Only the selected groups' first level child members - All selected users and direct group members directly under the selected groups are copied to the Members pane in the Group Creation Wizard. Add users or groups with existing permissions - opens the Users/Groups with Existing Permissions dialog box and displays current existing permissions on the selected folder. 201

211 Chapter 6 WORK AREA Select the users and groups from the Available Entities area for display in Selected Entities. Select one of the following options in the Select which accounts are added area at the bottom: All selected accounts - All objects in Selected Entities will be added as direct members to the new group and will be shown in the Members pane in the Group Creation Wizard. All nested user and computer accounts - All user/computer members (direct and indirect) are copied from the selected groups to the Members pane in the Group Creation Wizard. Only the selected groups' first level child members - All selected users and direct group members directly under the selected groups are copied to the Members pane in the Group Creation Wizard. 8. To remove members, select them from the list and click Remove. Note: If you click Back and change the group scope or type, the members you already selected will be removed from the list. 9. Click Next. The Excluded Users and Groups dialog box is displayed, with a list of exceptions of users\groups that can not be added. 202

212 Chapter 6 WORK AREA Excluded Account - The name of the excluded user\group. Reason - The reason for the exclusion. Note: Reasons for possible exclusion are: For groups - Group type mismatch or untrusted domain For users - A user from an untrusted domain, or a user cannot be added to global and universal groups To remove a user/group from the list, do as follows: a. Select a user or group. b. Click OK. The user or group is now removed from the Members window. 10. Click Next. The Permissions page is displayed. 203

213 Chapter 6 WORK AREA 1 Select the required Allow and Deny permissions. 1 To define special permissions and advanced settings, click Advanced. The Advanced Security Properties dialog box is displayed. 204

214 Chapter 6 WORK AREA a. To add a permission entry to the entity, click Add and define the permissions as relevant. b. To edit an existing permission entry: Click Edit. The Permission Entry For dialog box is displayed. From the Apply to drop-down list, select the objects to which the permissions will be applied. To apply these permissions to objects or containers within the current container, select the relevant checkbox at the bottom of the dialog box. 205

215 Chapter 6 WORK AREA 4. To clear all permissions, select Clear All. 5. Click OK. c. To remove a permission entry, select the relevant entry and click Remove. d. Click OK. The Advanced Security Properties dialog box is closed. 1 Click Next. The Summary page is displayed. 14. After you have reviewed your work, click Execute to create the group. 206

Chapter 6 WORK AREA 15. Select the Commit these changes option to commit the changes immediately and click Finish. 16. (Optional) Commit the changes.

216 Chapter 6 WORK AREA 15. Select the Commit these changes option to commit the changes immediately and click Finish. 16. (Optional) Commit the changes. Note: You may be required to provide your credentials before the Commit dialog box is displayed. Note: If the folder has inconsistent ACLs, the Commit these changes option is disabled. Adding Users or Groups to Directories and Files This activity may only be performed for directories located on Windows machines. To add a user or group to a directory or file: Select the Work Area. In the Directories pane, right-click the directory or file to which you want to add a user or group. From the context menu, select Add Permission. The Directory Services Search dialog box is displayed. 207

217 Chapter 6 WORK AREA 4. Select the entity (user or group) to receive permission for the directory or file. 5. Click OK. The Directory Services Search dialog box is closed, and the entities are granted minimum permissions for the directory or file: 6. R - Read. The user or group may read from the directory or file X - Execute. The user or group may execute files in the directory or file Edit the permissions as necessary. The changes you make are marked in green and red, to indicate added and removed permissions respectively. Each change you make automatically results in changes to other permissions in the virtual sandbox. 7. Synchronize the system. Locating Mailbox Owners To locate a mailbox's owner: Select the Work Area. In the Directories pane, right-click the relevant mailbox. From the context menu, select Locate Mailbox Owner. The owner is identified and displayed in the Recommended Users & Groups pane. 208

Chapter 6 WORK AREA 4. Edit the permissions as necessary. The changes you make are marked in green and red, to indicate added and removed permissions respectively.

218 Chapter 6 WORK AREA 4. Edit the permissions as necessary. The changes you make are marked in green and red, to indicate added and removed permissions respectively. Each change you make automatically results in changes to other permissions in the virtual sandbox. 5. Synchronize the system. Locating Directory Service Objects in the Users & Groups Pane To locate a directory service object in the Users & Groups pane: Select the Work Area. In the Directories pane, right-click the relevant directory service object. From the context menu, select Locate in Users' Pane. The user or group is identified and displayed in the Recommended Users & Groups pane. Creating a Folder Automatically Recognized by DatAdvantage It is possible to create a folder that will be automatically recognized by DatAdvantage without the need to run the FileWalk and PullWalk jobs, and can be used immediately. It will be displayed as virtual in the sandbox until it is committed. In the Work Area, right-click the folder for which you want to create a sub-folder, and select Create New Folder. The Create New Folder dialog box is displayed. Note that Parent folder path is already populated according to the folder you selected. Do as follows: Parent folder path - Browse for the parent folder of the folder that you are creating, or accept the default. Folder name - The name of the folder that you are creating. Share Folder - Select whether to share the folder. If so, the share will have the same name as the folder. Additionally, the share will be created with the Everyone group with full control permissions. Commit these changes - Select to commit the changes. Cancel - Leave the process without saving any changes. Refer to the following example: 209

219 Chapter 6 WORK AREA Click OK. The new folder is displayed in the Work Area, in sandbox mode. Managing Permission Flags Permissions for directories and files are categorized by three types of flags: Protected - A protected directory or file does not inherit any permissions from its parent. Its icon is decorated with a lock. Unique - A unique directory or file has both inherited permissions and other permissions defined specifically for it. If an object has effectively different permissions than its parent permissions, it is designated as "distinguished unique". Both unique and distinguished unique objects are marked with a person image. Inherited - An inherited directory or file only inherits permissions from its parent. It has no special permissions of its own. Its icon is not decorated with anything. Adding Protection to a Directory or File DatAdvantage enables you to change a permission flag from Unique or Inherited to Protected. This means the link between the directory or file and its parent is broken, and changes to the parent's permissions no longer affect the child. However, you may choose to preserve existing permissions when you change a permission flag to Protected. The changes take effect when you commit them to the environment. Note: In addition to the method described here, you can also change a folder with inherited permissions to Protected by removing any of the inherited permissions. If you do so, a 210

220 Chapter 6 WORK AREA confirmation message is displayed, enabling you to change the folder to Protected before removing the permissions. To add protection to a directory or file: Select the Work Area. Locate the relevant directory or file. Right-click the directory or file, and from the context menu, select Add Protection to Directory. The following message is displayed: You are about to change this directory to be protected. Do you want to copy permissions from the current parent directory? Note: Use this command for files as well. 4. Click the relevant button in the message: Yes - To preserve the inherited permissions but break the link with the parent entity. No - To define unique permissions and break the link with the parent entity. The entity's icon is decorated with a lock to indicate it is protected. The Recommended Users and Groups list is updated accordingly. 5. Synchronize the system. Removing Protection from Directories and Files DatAdvantage enables you to change a permission flag from Protected to Inherited. This means a link is created between the directory or file and its parent, and changes to the parent's permissions affect the child. However, you may choose to preserve existing unique permissions when you change a permission flag to Inherited. To remove protection from a directory or file: Select the Work Area. Locate the relevant directory or file. Right-click the directory or file, and from the context menu, select Remove Protection from Directory. The following message is displayed: You are about to remove the protection flag from this directory. Do you want to leave existing unique permissions? Note: Use this command for files as well. 4. Click the relevant button in the message: Yes - To preserve existing unique permissions but create a link with the parent entity. No - To let the directory inherit all permissions from the parent entity. The lock decorating the entity's icon is removed. The Recommended Users and Groups list is updated accordingly. 5. Synchronize the system. 211

221 Chapter 6 WORK AREA Removing Non-Inherited Permissions from Directories and Files DatAdvantage enables you to change a permission flag from Unique to Inherited. This means the directory or file inherits all permissions from its parent. To remove non-inherited permissions from a directory or file: Select the Work Area. Locate the relevant directory or file. Right-click the directory or file, and from the context menu, select Remove Non-inherited Permissions. The following message is displayed: You are about to remove this directory's uniqueness. The directory will inherit parent permissions that apply to child entities. Are you sure? Note: Use this command for files as well. 4. Click the relevant button in the message: Yes - To remove all unique permissions from the entity. Changes to the parent entity's permissions affect the directory or file. No - To preserve unique permissions for the entity. The person image decorating the entity's icon is removed. The Recommended Users and Groups list is updated accordingly. 5. Synchronize the system. Managing Users and Groups Creating Groups Before your first use of the Group Creation Wizard, configure the relevant settings on the Group Creation tab in the Management Console. Only users with the Commit/Edit role can create groups. To create a new group: Select the Work Area. Select the Recommended Users and Groups pane on the right. Select Account Management > Create Group. The Group Creation Wizard is displayed. 212

222 Chapter 6 WORK AREA 4. On the New Group page of the wizard, set the following properties for the group you want to create: Group path - Select the domain or OU in which to create the new group. Group name - Define a name for the new group. Group name (pre-windows 2000) - If necessary, define the SAM account name for the new group. Automatically populated when the Group name field is populated. Description - Enter a free-text description of the group, up to 1024 characters. Group scope - Determine the scope of the new group. Note: This pane is only visible for Active Directory 2000 and higher. Domain local - A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain in which the domain local group is located. Global - A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain. Universal - A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give 213

223 Chapter 6 WORK AREA universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not supported for Windows Group type - Determine whether the group is a security group or a distribution group. Note: Since distribution groups cannot be granted permissions, the distribution group option is only available if the wizard is started from the Recommended Users and Groups pane. 5. Click Next. The Members page is displayed. 6. To add members to the group, click Add and search for the required users in the Directory Services Search dialog box. Note: The entities available for selection are determined by the group scope you defined earlier. 7. For advanced options in adding members to the group, click Advanced Options to open the Directory Services Search dialog box. Note: The entities available for selection are determined by the group scope you defined earlier. 214

224 Chapter 6 WORK AREA 8. Use the functionality to search for users from other groups and then select one of the following options in the Select which accounts are added area at the bottom: All selected accounts - All objects in Selected Entities will be added as direct members to the new group and will be shown in the Members pane in the Group Creation Wizard. All nested user and computer accounts - All user/computer members (direct and indirect) are copied from the selected groups to the Members pane in the Group Creation Wizard. Only the selected groups' first level child members - All selected users and direct group members directly under the selected groups are copied to the Members pane in the Group Creation Wizard. 9. To remove members, select them from the list and click Remove. Note: If you click Back and change the group scope or type, the members you already selected will be removed from the list. 10. Click Next. The Excluded Users and Groups dialog box is displayed, with a list of exceptions of users\groups that can not be added. 215

225 Chapter 6 WORK AREA Excluded Account - The name of the excluded user\group. Reason - The reason for the exclusion. Note: Reasons for possible exclusion are: For groups - Group type mismatch or untrusted domain For users - A user from an untrusted domain, or a user cannot be added to global and universal groups To remove a user/group from the list, do as follows: 1 a. Select a user or group. b. Click OK. The user or group is now removed from the Members window. Click Next. The Summary page is displayed. 216

226 Chapter 6 WORK AREA 1 After you have reviewed your work, click Execute to create the group. Deleting Groups You can delete groups from the Recommended Users and Groups pane, according to the following guidelines: Only Active Directory and local host groups can be deleted. Abstract and built-in groups cannot be deleted. Rollback is not supported. Once a group is deleted, the same group with the same SID cannot be recreated with the original permissions. To delete a group: Select the Work Area. Select the Recommended Users and Groups pane on the right. Right-click the relevant group and select Account Management > Delete Group. A confirmation dialog box is displayed. 4. In the confirmation dialog box, click the relevant button: Delete - Click to save the delete operation without committing the change to Active Directory. Delete and Commit - Click to delete the group and commit the deletion right away to Active Directory. This button is not available for groups that have never been committed to Active Directory. If you close the Commit window without actually committing the deletion, you can restore the group by right-clicking it and selecting Restore Group. 217

227 Chapter 6 WORK AREA Adding Users to Groups Note: You cannot add Azure Active Directory users to groups. To add a user to a group: Select the Work Area. Select the Recommended Users and Groups pane on the right. Be sure the list is set to Parent view. 4. Locate the required group. 5. Right-click the group, and from the context menu, select Add Members. The Active Directory Search dialog box is displayed. 6. Select the user you want to add to the group. 7. Synchronize the system. Removing Users from Groups To remove a user from a group: Select the Work Area. Select the Recommended Users and Groups pane on the right. Be sure the list is set to Parent view. 4. Locate the required group. 5. Under the group, right-click the relevant user, and from the context menu, select Remove Child. The user is marked with a red X. 6. Synchronize the system. Restoring Relationships between Users and Groups If you have removed a child object from a group but have not yet committed the change, you can easily restore the relationship between the two entities. To restore a relationship between a user and a group: Locate the required child object. Right-click the entity and select Restore Relationship. Synchronize the system. Restoring Recommendations to Remove Users from Groups The Restore Recommendation procedure is used to reinstate a rejected recommendation from the IDU Analytics engine to delete a user from a group. To restore a recommendation to remove a user from a group: Locate the required entity. Right-click the entity and select Restore Recommendation. The red negate icon is replaced by a red X. The recommendation to remove a user is restored. Synchronize the system. 218

228 Chapter 6 WORK AREA Adding Group Membership to Users To add a group to a user: Select the Work Area. Select the Recommended Users and Groups pane on the right. Be sure the list is set to Child view. 4. Locate the required user. 5. Right-click the user, and from the context menu, select Add Group Membership. The Active Directory Search dialog box is displayed. 6. Select the group to be added to the user's definition. 7. Synchronize the system. Removing Group Membership from Users To remove group membership from a user: Select the Work Area. Select the Recommended Users and Groups pane on the right. Be sure the list is set to Child view. 4. Locate the required user. 5. Under the user, right-click the relevant group, and from the context menu, select Remove Parent. The group is marked with a red X. 6. Synchronize the system. Locating an Entity's Mailboxes To locate the mailboxes related to a particular entity: Note: This procedure cannot be performed on distribution groups. You cannot view the mailboxes of synchronized cloud users or groups if you have selected to display only entities from the Azure domain in the Users & Groups pane. In this case, to view the mailboxes related to a synchronized cloud user or group, you must first locate the domain user or group. For more information, see Locating Domain Users and Groups. Select the Work Area. In the relevant Users and Groups list, locate the entity whose mailbox you want to work with. Right-click the entity and select Locate Mailboxes from the context menu. The entity's mailboxes are displayed in the Directories pane. 4. Edit the permissions as necessary. The changes you make are marked in green and red, to indicate added and removed permissions respectively. Each change you make automatically results in changes to other permissions in the virtual sandbox. 5. Synchronize the system. 219

229 Chapter 6 WORK AREA Locating Domain Users and Groups You can locate the domain user or group of objects synchronized to Azure Active Directory. The user or group is then identified and displayed as a domain object in the Users & Groups pane. This procedure can be performed in order to retrieve the permissions or mailboxes of synchronized cloud users and groups displayed in the Users & Groups pane. This option is available only if you have selected to display only users or groups from the Azure domain in the Users & Groups pane. To locate a domain user or group: Select the Work Area. In the Users & Groups pane, right-click the relevant synchronized user or group. Synchronized objects are marked as Synced. Note: The user list must be filtered to display only users or groups from the Azure domain. For instructions, see Viewing Azure Active Directory Objects in the Users & Groups Pane. To locate the domain user that was synchronized to Azure Active Directory, from the context menu, select Locate Domain User. 4. To locate the domain group that was synchronized to Azure Active Directory, from the context menu, select Locate Domain Group. The domain user or group is identified and displayed in the Recommended Users & Groups pane. Creating a User Account To create a user account: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Select Account Management > Create User. The Create User dialog box is displayed. 220

230 Chapter 6 WORK AREA Set all properties as required on each tab and click OK when finished. 4. Enter the credentials of the user authorized to perform the commit action. 5. Click OK. The Action Processing dialog box is displayed To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 8. Click Close. 221

231 Chapter 6 WORK AREA Setting General User Properties To set general user properties: Select the General tab. The General tab is displayed. Click the Browse button next to the Path text box to select the organizational unit in which the user will be created from the Organizational Unit dialog box. The path is the organizational unit or domain in which the user is created. Enter the user's first name. 4. Enter the user's last name. 5. Enter the user's initials (maximum 6 characters). 6. Enter the user's full name (mandatory field). 7. Enter the user's display name (maximum 20 characters). 8. Enter the user's logon name (mandatory field). 9. Enter the user's logon name (pre-windows 2000). This is a mandatory field. 10. Enter the user's address. 1 If there are comments, enter them in the Description text box. Setting User Account Properties To set user account properties: Select the Account tab. The Account tab is displayed. 222

Chapter 6 WORK AREA In the Password area, enter the user's password according to configured password policy. a. Select Auto-generate Password if you want to use an automatically generated password. b.

232 Chapter 6 WORK AREA In the Password area, enter the user's password according to configured password policy. a. Select Auto-generate Password if you want to use an automatically generated password. b. To enter a password of your choice, select Type a Password. Enter and confirm the password (mandatory fields). c. Tick the User must change name at next logon checkbox to select this option. d. Tick the User cannot change password checkbox to select this option. e. Tick the Password never expires checkbox to select this option. In the Account area, select the date on which the account expires. a. If the account never expires, select Never. b. If the account expires on a specific date, select End of and select the date from the calendar. 4. Select the relevant options for configuring the account: Account is disabled Store password using reversible encryption Smart card is required for interactive logon Account is trusted for delegation (Win 2000/2003) Account is sensitive and cannot be delegated Use Kerberos DES encryption types for this account This account supports Kerberos AES 128-bit encryption (Win 2008, 2008R2 and higher) This account supports Kerberos AES 256-bit encryption (Win 2008, 2008R2 and higher) Do not require Kerberos pre-authentication Defining Mailbox Settings Note: This section applies to Exchange 2010 only. 223

Chapter 6 WORK AREA Note: To enable creating mailboxes from within DatAdvantage, basic authentication must be enabled on the Exchange server through the IIS manager.

233 Chapter 6 WORK AREA Note: To enable creating mailboxes from within DatAdvantage, basic authentication must be enabled on the Exchange server through the IIS manager. See Metadata Framework Installation Guide for details. To define mailbox settings: Select the Mailbox Settings tab. The Mailbox Settings tab is displayed. In the Mailbox Settings pane, set the following: Create mailbox (Exchange 2010 only) - Select to create the new mailbox and define its details. Exchange Server - Enter the name or IP address of the Exchange Server on which the mailbox will be created. The Exchange Server and the user must reside in the same domain. Alias - If needed, enter an alias for the user name (mail prefix) that was entered in the General tab. In the Database and Policies pane, set the following: Credentials - Click to enter the credentials required to retrieve mailbox policy information. Mailbox database - The database with which the mailbox is associated. Retention policy - The policy according to which the mailbox is archived. ActiveSync mailbox policy - The policy that determines whether the user can use ActiveSync to connect and retrieve information from the mailbox. Address book policy - The policy that determines whether the user can connect to and retrieve information from the address book. 224

234 Chapter 6 WORK AREA 4. In the Archive Settings pane, set the following: Do not create an archive - Select if you do not want to archive the mailbox. Create a local archive - Select this option to choose the database in which to install the local archive. If it is not selected, the archive is installed in a random database. Archive mailbox database - The database in which the archive is created. This need not be the same as the database in which the mailbox is installed. 5. Select Remember these settings as a default to start with these settings each time you create a new mailbox. 6. Click OK. Setting Additional User Properties Define the values for additional properties. To set additional user properties: Select the Additional Properties tab. The Additional Properties tab is displayed. To add properties, open the Management Console and select Configuration > Active Directory Properties. Setting Group Membership The user must have a Primary Group defined. The Domain users group is added automatically and set as the Primary Group. It is possible to set a different group as the Primary Group if you want to remove the original one. 225

235 Chapter 6 WORK AREA Note: There is no need to change the Primary Group unless you have Macintosh clients or POSIX-compliant applications. Only a Domain group whose scope is global or universal can be set as the Primary Group. To add a user to a group: Select the Member Of tab. The Member Of tab is displayed. Note: A path must be configured on the General tab. The path is the organizational unit or domain in which the user will be created. To add the required groups, click Add to select the group from the dialog box. The group is added to the group list. To remove a group, select the group and click Remove. Editing a User Account To edit a user account: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Right-click the user and select Account Management > Edit. The Edit User dialog box is displayed. 226

236 Chapter 6 WORK AREA Select the tab and make the necessary changes. Enter all required properties. 4. Click OK. 5. Enter the credentials of the user authorized to perform the commit action. 6. Click OK. The Action Processing dialog box is displayed. 7. To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped 227

Chapter 6 WORK AREA 8. To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 9. Click Close.

237 Chapter 6 WORK AREA 8. To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 9. Click Close. Copying a User Account To copy a user account: In the Recommended Users and Groups pane, right-click the entity. Select Account Management > Copy. The Copy User dialog box is displayed. Select each tab in turn and enter the necessary information. See the instructions for the other tabs for more information. 4. On the Member Of tab, click Remove All Recommendations 5. Click OK. 6. Enter the credentials of the user authorized to perform the commit action. 7. Click OK. The Action Processing dialog box is displayed. 228

238 Chapter 6 WORK AREA To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 10. Click Close. Creating Groups Before your first use of the Group Creation Wizard, configure the relevant settings on the Group Creation tab in the Management Console. Only users with the Commit/Edit role can create groups. To create a new group: Select the Work Area. Select the Recommended Users and Groups pane on the right. Select Account Management > Create Group. The Group Creation Wizard is displayed. 229

Chapter 6 WORK AREA 4. On the New Group page of the wizard, set the following properties for the group you want to create: Group path - Select the domain or OU in which to create the new group.

239 Chapter 6 WORK AREA 4. On the New Group page of the wizard, set the following properties for the group you want to create: Group path - Select the domain or OU in which to create the new group. Group name - Define a name for the new group. Group name (pre-windows 2000) - If necessary, define the SAM account name for the new group. Automatically populated when the Group name field is populated. Description - Enter a free-text description of the group, up to 1024 characters. Group scope - Determine the scope of the new group. Note: This pane is only visible for Active Directory 2000 and higher. Domain local - A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain in which the domain local group is located. Global - A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain. Universal - A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give 230

240 Chapter 6 WORK AREA universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not supported for Windows Group type - Determine whether the group is a security group or a distribution group. Note: Since distribution groups cannot be granted permissions, the distribution group option is only available if the wizard is started from the Recommended Users and Groups pane. 5. Click Next. The Members page is displayed. 6. To add members to the group, click Add and search for the required users in the Directory Services Search dialog box. Note: The entities available for selection are determined by the group scope you defined earlier. 7. For advanced options in adding members to the group, click Advanced Options to open the Directory Services Search dialog box. Note: The entities available for selection are determined by the group scope you defined earlier. 231

241 Chapter 6 WORK AREA 8. Use the functionality to search for users from other groups and then select one of the following options in the Select which accounts are added area at the bottom: All selected accounts - All objects in Selected Entities will be added as direct members to the new group and will be shown in the Members pane in the Group Creation Wizard. All nested user and computer accounts - All user/computer members (direct and indirect) are copied from the selected groups to the Members pane in the Group Creation Wizard. Only the selected groups' first level child members - All selected users and direct group members directly under the selected groups are copied to the Members pane in the Group Creation Wizard. 9. To remove members, select them from the list and click Remove. Note: If you click Back and change the group scope or type, the members you already selected will be removed from the list. 10. Click Next. The Excluded Users and Groups dialog box is displayed, with a list of exceptions of users\groups that can not be added. 232

242 Chapter 6 WORK AREA Excluded Account - The name of the excluded user\group. Reason - The reason for the exclusion. Note: Reasons for possible exclusion are: For groups - Group type mismatch or untrusted domain For users - A user from an untrusted domain, or a user cannot be added to global and universal groups To remove a user/group from the list, do as follows: 1 a. Select a user or group. b. Click OK. The user or group is now removed from the Members window. Click Next. The Summary page is displayed. 233

243 Chapter 6 WORK AREA 1 After you have reviewed your work, click Execute to create the group. Add Members of An Existing Group to Another Existing Group This feature enables users to add the members of another group as its members (either its direct members or all nested users\computers). From the Recommended Users and Groups pane, right-click the group to which you want to add the members of another group as members, and select Account Management > Advanced Membership. The Directory Services Search dialog box is displayed. Use the functionality to search for users from other groups and then select one of the following options in the Select which accounts are added area at the bottom: All selected accounts - All objects in Selected Entities will be added as direct members to the group in the the Recommended Users and Groups pane. All nested user and computer accounts - All user/computer members (direct and indirect) are copied from the selected groups to the group in the Recommended Users and Groups pane. Only the selected groups' first level child members - All selected users and direct group members directly under the selected groups are copied to the group in the Recommended Users and Groups pane. Click OK when done. 234

Chapter 6 WORK AREA Deleting User and Computer Accounts There are two methods for deleting user and computer accounts: Through the Account Management button Through the context menu Deleting Users

244 Chapter 6 WORK AREA Deleting User and Computer Accounts There are two methods for deleting user and computer accounts: Through the Account Management button Through the context menu Deleting Users and Computers through the Account Management Button Deleting Users and Computers through the Account Management Button To delete accounts through the Account Management button: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Select Account Management > Delete User/Computer. The Delete User/Computer dialog box is displayed. Select the relevant option: a. To select a user account from the Directory Services Search dialog box, click Select accounts and click the Browse button. b. To select multiple user accounts from a CSV file, click Import accounts list from and click the Browse button. Note: Characters are case-sensitive. CSV files take the following format: Record format: Domain\User logon name (pre-windows 2000). Records must be delimited by a new line. The domain name may be in either FQDN or NetBIOS format. The LDAP property name of User logon name (pre-windows 2000) is the SAM Account name. 4. Click Yes to proceed. 5. Enter the credentials of the user authorized to perform the commit action. 6. Click OK. The Action Processing dialog box is displayed. 235

245 Chapter 6 WORK AREA To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 9. Click Close. Deleting User and Computer Accounts through the Context Menu To delete accounts through the context menu: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Right-click the chosen entities and select Account Management > Delete User/Computer. A confirmation message is displayed. Note: When selecting multiple entities, it is possible that not all entities are valid for this action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts. Click Yes. 4. Enter the credentials of the user authorized to perform the commit action. 5. Click Yes. The Action Processing dialog box is displayed. 236

246 Chapter 6 WORK AREA To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 8. Click Close. Resetting Passwords There are two methods for resetting a password: Through the Account Management button Through the context menu Resetting Passwords through the Account Management Button To reset a password through the Account Management button: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Select Account Management > Reset Password. The Reset Password dialog box is displayed. 237

247 Chapter 6 WORK AREA Select the relevant option: a. To select a user account from the Directory Services Search dialog box, click Select accounts and click the Browse button. b. To select multiple user accounts from a CSV file, click Import accounts list from and click the Browse button. Note: Characters are case-sensitive. CSV files take the following format: Record format: Domain\User logon name (pre-windows 2000). Records must be delimited by a new line. The domain name may be in either FQDN or NetBIOS format. The LDAP property name of User logon name (pre-windows 2000) is the SAM Account name. 4. Enter the user's password according to configured password policy. a. Select Auto-generate Password if you want to use an automatically generated password. b. To enter a password of your choice, select Type a Password. Enter and confirm the password (mandatory fields). 5. Tick the User must change password at next logon checkbox to select this option. 6. Tick the Unlock the user's account checkbox to select this option. 7. Click OK. 8. Enter the credentials of the user authorized to perform the commit action. 9. Click OK. The Action Processing screen is displayed. 238

248 Chapter 6 WORK AREA 10. To filter the processing results, select the relevant option in the Filter by area: 1 All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 1 Click Close. Resetting Passwords through the Context Menu To reset a password through the context menu: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Right-click the chosen entities and select Account Management > Reset Password. The Reset Password dialog box is displayed. Enter the user's password according to configured password policy. a. Select Auto-generate Password if you want to use an automatically generated password. b. To enter a password of your choice, select Type a Password. Enter and confirm the password (mandatory fields). 239

249 Chapter 6 WORK AREA Select one or both of the following options: Tick the User must change password at next logon checkbox to select this option. Tick the Unlock the user's account checkbox to select this option. Click OK. Note: When selecting multiple entities, it is possible that not all entities are valid for this action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts. 6. Enter the credentials of the user authorized to perform the commit action. 7. Click OK. The Action Processing screen is displayed To filter the processing results, select the relevant option: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 10. Click Close. Unlocking User Accounts There are two methods for unlocking user accounts: Through the Account Management button Through the context menu 240

Chapter 6 WORK AREA Unlocking User Accounts through the Account Management Button To unlock user accounts through the Account Management button: Select the Existing Users and Groups pane on the left,

250 Chapter 6 WORK AREA Unlocking User Accounts through the Account Management Button To unlock user accounts through the Account Management button: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Select Account Management > Unlock. The Unlock User dialog box is displayed. Select the relevant option: a. To select a user account from the Directory Services Search dialog box, click Select accounts and click the Browse button. b. To select multiple user accounts from a CSV file, click Import accounts list from and click the Browse button. Note: Characters are case-sensitive. CSV files take the following format: Record format: Domain\User logon name (pre-windows 2000). Records must be delimited by a new line. The domain name may be in either FQDN or NetBIOS format. The LDAP property name of User logon name (pre-windows 2000) is the SAM Account name. 4. Click OK. 5. Enter the credentials of the user authorized to perform the commit action. 6. Click OK. The Action Processing dialog box is displayed. 241

251 Chapter 6 WORK AREA To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 9. Click Close. Unlocking User Accounts through the Context Menu To unlock user accounts through the context menu: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Right-click the chosen entities and select Account Management > Unlock. The Unlock User dialog box is displayed. Note: When selecting multiple entities, it is possible that not all entities are valid for this action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts. Click OK. 4. Enter the credentials of the user authorized to perform the commit action. 5. Click Yes. The Action Processing dialog box is displayed. 242

252 Chapter 6 WORK AREA To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 8. Click Close. Disabling and Enabling Entities There are two methods for disabling and enabling users and computers: Through the Account Management button Through the context menu Disabling and Enabling Entities through the Account Management Button To disable or enable users or computers through the Account Management button: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Select Account Management > Disable/Enable. The Disable/Enable Account dialog box is displayed. 243

253 Chapter 6 WORK AREA Select the relevant option: a. To select a user account from the Directory Services Search dialog box, click Select accounts and click the Browse button. b. To select multiple user accounts from a CSV file, click Import accounts list from and click the Browse button. Note: Characters are case-sensitive. CSV files take the following format: Record format: Domain\User logon name (pre-windows 2000). Records must be delimited by a new line. The domain name may be in either FQDN or NetBIOS format. The LDAP property name of User logon name (pre-windows 2000) is the SAM Account name. 4. Select Disable or Enable and click OK. 5. Enter the credentials of the user authorized to perform the commit action. 6. Click OK. The Action Processing dialog box is displayed To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 9. Click Close. 244

Chapter 6 WORK AREA Disabling and Enabling Entities through the Context Menu To disable or enable users and computers through the context menu: Select the Existing Users and Groups pane on the left,

Note: When selecting multiple entities, it is possible that not all entities are valid for this action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts.

254 Chapter 6 WORK AREA Disabling and Enabling Entities through the Context Menu To disable or enable users and computers through the context menu: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Right-click the chosen entities and select Account Management > Disable/Enable. The Disable/Enable Account dialog box is displayed. Note: When selecting multiple entities, it is possible that not all entities are valid for this action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts. Select Disable or Enable and click OK. 4. Enter the credentials of the user authorized to perform the commit action. 5. Click Yes. The Action Processing dialog box is displayed To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 8. Click Close. 245

255 Chapter 6 WORK AREA Moving Entities There are two methods for moving entities: Through the Account Management button Through the context menu Entities can only be moved to another location within their current domain. Moving Entities through the Account Management Button To move users, computers and groups through the Account Management button: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Select Account Management > Move. The Move Account dialog box is displayed. Select the relevant option: a. To select a user account from the Directory Services Search dialog box, click Select accounts and click the Browse button. b. To select multiple user accounts from a CSV file, click Import accounts list from and click the Browse button. Note: Characters are case-sensitive. CSV files take the following format: Record format: Domain\User logon name (pre-windows 2000). Records must be delimited by a new line. The domain name may be in either FQDN or NetBIOS format. The LDAP property name of User logon name (pre-windows 2000) is the SAM Account name. 4. Select the name of the Target Organizational Unit from the Browse button. 5. Click OK. 6. Enter the credentials of the user authorized to perform the commit action. 7. Click OK. The Action Processing dialog box is displayed. 246

256 Chapter 6 WORK AREA To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 10. Click Close. Moving Entities through the Context Menu To move users, computers and groups through the context menu: Select the Existing Users and Groups pane on the left, or the Recommended Users and Groups pane on the right. Right-click the chosen entities select Account Management > Move. The Move Account dialog box is displayed. Note: When selecting multiple entities, it is possible that not all entities are valid for this action for this entity type, domain type, or for unmonitored, abstract, or built-in accounts. Select the target Organizational Unit from the Browse button. 4. Enter the credentials of the user authorized to perform the commit action. 5. Click OK. The Action Processing dialog box is displayed. 247

257 Chapter 6 WORK AREA To filter the processing results, select the relevant option in the Filter by area: All Successful Failed Skipped To export the processing results to a CSV file, click the Export to CSV button on the right and select the required export path. 8. Click Close. About Synchronization To conserve resources, the effects of manual changes are not automatically calculated across the system. This means that changes remain visible, but the sandbox is not updated and no error calculation occurs. However, you can choose to synchronize your manual changes as necessary. The synchronization process implements the manual changes in the virtual environment, so that erroneous recommendations and the explanations provided in the Directories pane for removing permissions are up to date. When the system is not synchronized, the Status bar displays a message saying "Calculate Access Errors". In addition, the Errors pane does not display the most updated information. Synchronizing Recommendations To synchronize changes in the system: On the Status bar, click the Calculate Access Errors message. The Calculation of Access Errors dialog box is displayed. 248

258 Chapter 6 WORK AREA Click the Calculate button. The synchronization process begins. Note: Synchronization may take several minutes. To refresh the Directories pane, double-click the entity that was changed. Synchronizing Ownership with DataPrivilege The synchronization engine enables maintaining complete synchronization between DatAdvantage and DataPrivilege. The engine ensures that all managed objects and their owners are copied to DataPrivilege, including all relevant configuration settings for domains and file servers. If a domain or file server does not exist in DataPrivilege, the synchronization creates it. DataPrivilege objects and owners are also synchronized to DatAdvantage for monitored resources. However, if a file server managed in DataPrivilege does not exist in DatAdvantage, the synchronization engine does not create it in DatAdvantage since this would require a full installation procedure. Synchronization is performed automatically in the following cases: Immediately after changes are made (added or removed) to entity ownership After the DatAdvantage pull job is run According to the schedule you define However, if the previous synchronization ended with errors or conflicts, it may be necessary to execute the Synchronization process manually. To synchronize entity ownership with DataPrivilege: Access the Ownership wizard: To synchronize multiple owners and entities, select Tools > Manage Ownership. To synchronize individual owners or entities, right-click the relevant owner or entity and select Manage Ownership. In the Ownership wizard, click Background Synchronization. The owners or entities are synchronized with DataPrivilege. 249

259 Chapter 6 WORK AREA About Synchronization and DataPrivilege Base Folders A problem can occur if you have previously installed both DatAdvantage and DataPrivilege. If base folders are defined separately in the two products and then the products are synchronized, it may happen that the synchronization process tries to make a directory defined as a base folder either the parent or the child of another directory defined as a base folder. Since by definition a base folder must be the root and cannot have another base folder as its parent or child, the synchronization process stops with an error. If this happens, you must manually change one of the base folders so that it is no longer defined as a base folder, and rerun the synchronization process. About the Errors Pane Sometimes IDU Analytics recommends that a user's permissions to a directory or file be removed, but the user later accesses the entity. This means the recommendation to remove permissions was made in error. That is, IDU Analytics has recommended removing a user's rights to files and directories to which the user actually needs access. Such errors can also occur if an administrator manually removes rights that are needed by a user or group. By default, IDU Analytics looks back 120 days to make recommendations (this can be configured at installation). The Errors pane can be grouped by the following: Directory or file User or group Error Time - The time at which the error occurred (that is, the time at which the user or group accessed the directory or file despite an existing recommendation to remove permissions). Removal cause - The reason why the error occurred. Use the list as a reference to determine which rights can be removed without impacting on users' ability to access the data they need in order to do their work. Immediately after IDU Analytics runs, no errors due to analysis are listed. If user behavior changes between analyses, the unexpected behavior is reflected in the error list. Over time, the analysis becomes more accurate as additional user behavior data is processed by subsequent runs of IDU Analytics. This means the number of analysis errors (as opposed to manual editing errors) decreases. The system must be synchronized so that the Errors pane displays the most updated information. Note: The tactical errors calculation is based on statistics collected for the previous IDU Analytics period. If the statistics archive policy is shorter than the IDU Analytics period, then the tactical errors calculation will be based only on statistics that are not archived. 250

260 Chapter 6 WORK AREA Working with the Expected Access Errors Pane DatAdvantage generates an access error on a user/computer in case an editing command removes the user's permissions to a specific folder. This can be either the direct permission or the user's membership in a group with the specified permission. This action will cause users to lose permissions based on their performed events. Note: If the removed permission has not been used by any event performed by the user during the most recent IDU Analytics-defined period of time, no error will be generated. Error details include: The current permission based on the existing set. The recommended permissions based on the admin set. The permissions required for the user based on the events performed during the most recent IDU Analytics-defined period of time. To work with the Expected Access Errors pane: Select the Work Area or the Review Area. In the Expected Access Errors pane, the erroneous recommendations are displayed. Note: In the Review Area, the Expected Access Errors pane is automatically filtered by the selected object. Use DatAdvantage's standard sorting and grouping functions to locate the data you need quickly. 4. To view recommended permissions for entities, double-click the relevant directory or file in the Errors tab to display the recommended permissions in the Directories pane. 5. Accept or reject the recommendations as required. Note: If the Remove protection without unique permissions and Add protection with copy permissions from parent commands are created on a folder together, only the remove permission commands related to actual removed permissions are displayed. The add permission commands that result from the add protection action are not seen. The 251

261 Chapter 6 WORK AREA error is calculated only if the total effective permissions resulting from the remove and add protection commands are not enough based on the events. 6. Refer to the following: File Server - The file server where the folder to which the user has access errors resides. Access Path - The path of the folder or the special file to which the user has an access error. User/Computer - The name of the user/computer that has access errors to the folder. Current Effective Permissions - The current effective permission the user has on the folder in Existing Set. Recommended Effective Permissions - The effective permission that the user has on the folder in the Admin Set based on either all the commands in the Admin Set. Missing Permission Required by Events - The aggregated effective permission that is required to the users based on the events they recently performed, and will no longer be able to perform because of the editing commands (the caused error) affecting the permissions of the folder/file. Change Source - Change the sources by opening the Permission Sources window. Time of Error - The date and time when the access error was calculated (based on IDU server time). Fixing Directory Errors To repair recommendation errors on a particular directory, the Group Creation wizard creates a new group with maximal permissions for all entities having errors (users and computers). Only users with the Commit/Edit role can create groups. To fix recommendation errors for a directory: Do one of the following: In the Work Area or Review Area, in Expected Access Errors, click Fix Directory Errors. In the Directories pane, right-click a folder having errors and select Auto-fix Recommendation Errors. The Group Creation Wizard is displayed. 252

Chapter 6 WORK AREA On the New Group page of the wizard, set the following properties for the group you want to create: Group path - Select the domain or OU in which to create the new group.

262 Chapter 6 WORK AREA On the New Group page of the wizard, set the following properties for the group you want to create: Group path - Select the domain or OU in which to create the new group. Group name - Define a name for the new group. Group name (pre-windows 2000) - If necessary, define the SAM account name for the new group. Automatically populated when the Group name field is populated. Description - Enter a free-text description of the group, up to 1024 characters. Group scope - Determine the scope of the new group. Note: This pane is only visible for Active Directory 2000 and higher. Domain local - A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain in which the domain local group is located. Global - A global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain. Universal - A universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give 253

263 Chapter 6 WORK AREA universal security groups rights and permissions on resources in any domain in the forest. Universal groups are not supported for Windows Group type - Determine whether the group is a security group or a distribution group. Note: Since distribution groups cannot be granted permissions, the distribution group option is only available if the wizard is started from the Recommended Users and Groups pane. Click Next. The Fix Errors page is displayed. 4. To add members to the group, click Add and search for the required users in the Directory Services Search dialog box. Note: The entities available for selection are determined by the group scope you defined earlier. 5. For advanced options in adding members to the group, click an option: Add members from other groups - (this option will only display groups) opens the Directory Services Search dialog box. 254

Chapter 6 WORK AREA Use the functionality to search for users from other groups and then select one of the following options in the Select which accounts are added area at the bottom: All selected

264 Chapter 6 WORK AREA Use the functionality to search for users from other groups and then select one of the following options in the Select which accounts are added area at the bottom: All selected accounts - All objects in Selected Entities will be added as direct members to the new group and will be shown in the Members pane in the Group Creation Wizard. All nested user and computer accounts - All user/computer members (direct and indirect) are copied from the selected groups to the Members pane in the Group Creation Wizard. Only the selected groups' first level child members - All selected users and direct group members directly under the selected groups are copied to the Members pane in the Group Creation Wizard. Add users or groups with existing permissions - opens the Users/Groups with Existing Permissions dialog box and displays current existing permissions on the selected folder. 255

265 Chapter 6 WORK AREA Select the users and groups from the Available Entities area for display in Selected Entities. Select one of the following options in the Select which accounts are added area at the bottom: All selected accounts - All objects in Selected Entities will be added as direct members to the new group and will be shown in the Members pane in the Group Creation Wizard. All nested user and computer accounts - All user/computer members (direct and indirect) are copied from the selected groups to the Members pane in the Group Creation Wizard. Only the selected groups' first level child members - All selected users and direct group members directly under the selected groups are copied to the Members pane in the Group Creation Wizard. 6. To remove members, select them from the list and click Remove. Note: If you click Back and change the group scope or type, the members you already selected will be removed from the list. 7. Click Next. The Excluded Users and Groups dialog box is displayed, with a list of exceptions of users\groups that can not be added. 256

266 Chapter 6 WORK AREA Excluded Account - The name of the excluded user\group. Reason - The reason for the exclusion. Note: Reasons for possible exclusion are: For groups - Group type mismatch or untrusted domain For users - A user from an untrusted domain, or a user cannot be added to global and universal groups To remove a user/group from the list, do as follows: 8. a. Select a user or group. b. Click OK. The user or group is now removed from the Members window. Click Next. The Permissions page is displayed. 257

267 Chapter 6 WORK AREA 9. Select the required Allow and Deny permissions. 10. To define special permissions and advanced settings, click Advanced. The Advanced Security Properties dialog box is displayed. 258

From the Apply to drop-down list, select the objects to which the permissions will be applied.

268 Chapter 6 WORK AREA a. To add a permission entry to the entity, click Add and define the permissions as relevant. b. To edit an existing permission entry: Click Edit. The Permission Entry For dialog box is displayed. From the Apply to drop-down list, select the objects to which the permissions will be applied. To apply these permissions to objects or containers within the current container, select the relevant checkbox at the bottom of the dialog box. 259

269 Chapter 6 WORK AREA 4. To clear all permissions, select Clear All. 5. Click OK. c. To remove a permission entry, select the relevant entry and click Remove. d. Click OK. The Advanced Security Properties dialog box is closed. 1 In the bottom pane, review the users and groups that will receive a different set of permissions than what was previously granted them on the folder. Local members with errors are excluded from the member list if the group path is set to a domain or an OU, not to the required local host. a. To remove a member from the new group, select the member and click Remove. b. To remove all the members from the bottom pane, click Remove All. c. To recalculate the members having errors that will receive different permissions, click Restore List. 1 Click Next. The Summary page is displayed. 1 After you have reviewed your work, click Execute to create the group. 14. Select the Commit these changes option to commit the changes immediately and click Finish. 15. (Optional) Commit the changes. Note: You may be required to provide your credentials before the Commit dialog box is displayed. 260

270 7 REVIEW AREA The Review Area enables you to review the effects of the manual or recommended changes to permissions on actual user activity. Use this view to test "what if" scenarios, prior to applying the changes to the domain. Sometimes IDU Analytics recommends that a user's permissions to a directory or file be removed, but the user later accesses the directory. This means the recommendation to remove permissions was made in error. That is, IDU Analytics has recommended removing a user's rights to files and directories to which the user actually needs access. If the removal of permission were applied to the domain, the user's work would be disrupted by the lack of permissions. DatAdvantage identifies these errors by applying the modified permission set to past user activity and examining the results. When a user's access to a resource would be denied due to a recommended change in the user's permissions, the denial is flagged as an error and displayed in both the Review Area and the Work Area. Use the Review Area to identify such errors and eliminate them prior to applying changes to the domain, to avoid potential disruption to work. Before you begin to work with the Review Area, it is recommended that you synchronize the system. Note: Directory service permissions are not visible in the Review Area. The Review Area comprises the following panes: Directories Graph Recommended Users and Groups Errors and Editing History 261

Chapter 7 REVIEW AREA Understanding the Review Area DatAdvantage displays permissions in this view in a number of ways, depending on whether the entity you select (the current active entity) is a

271 Chapter 7 REVIEW AREA Understanding the Review Area DatAdvantage displays permissions in this view in a number of ways, depending on whether the entity you select (the current active entity) is a user, group or directory. Current Active Entity Permission Indications Recommended user or group Graph pane - Displays the following permissions for the selected user or group on the selected directory or file, in the form of a pie chart: Unused - The percentage of directories the user or group did not access during the time period that was analyzed. Color-coded yellow. Denied - The percentage of directories to which the user or group would have been denied access during the time period that was analyzed. Color-coded red. Accessed - The percentage of directories the user or group accessed during the time period that was analyzed. Color-coded green. Added - The percentage of directories to which the user's or group's permissions were added during the time period that was analyzed. Color-coded light blue. Removed - The percentage of directories to which the user's or group's permissions were removed during the time period that was analyzed. Color-coded gray. Directories pane - Permissions on directories are colorcoded in the same way as the graph. 262

Chapter 7 REVIEW AREA Current Active Entity Permission Indications Directory Graph pane - Displays user and group permissions for the selected directory, with the same options and colorcoding as

272 Chapter 7 REVIEW AREA Current Active Entity Permission Indications Directory Graph pane - Displays user and group permissions for the selected directory, with the same options and colorcoding as described above. Recommended Users and Groups pane - Permissions are color-coded in the same way as the graph. Viewing Permission Status The procedure for viewing permissions is the same throughout the Review Area. To view the status of permissions a user or group has for a specific directory: Select the Review Area. In the Directories pane, locate the relevant entity. In the Recommended Users and Groups list, locate the required entity. 4. Double-click the name of the relevant entity. The entity's permissions are displayed. Synchronizing Recommendations To synchronize changes in the system: On the Status bar, click the Calculate Access Errors message. The Calculation of Access Errors dialog box is displayed. 263

273 Chapter 7 REVIEW AREA Click the Calculate button. The synchronization process begins. Note: Synchronization may take several minutes. To refresh the Directories pane, double-click the entity that was changed. Working with the Expected Access Errors Pane DatAdvantage generates an access error on a user/computer in case an editing command removes the user's permissions to a specific folder. This can be either the direct permission or the user's membership in a group with the specified permission. This action will cause users to lose permissions based on their performed events. Note: If the removed permission has not been used by any event performed by the user during the most recent IDU Analytics-defined period of time, no error will be generated. Error details include: The current permission based on the existing set. The recommended permissions based on the admin set. The permissions required for the user based on the events performed during the most recent IDU Analytics-defined period of time. To work with the Expected Access Errors pane: Select the Work Area or the Review Area. In the Expected Access Errors pane, the erroneous recommendations are displayed. Note: In the Review Area, the Expected Access Errors pane is automatically filtered by the selected object. 264

274 Chapter 7 REVIEW AREA Use DatAdvantage's standard sorting and grouping functions to locate the data you need quickly. 4. To view recommended permissions for entities, double-click the relevant directory or file in the Errors tab to display the recommended permissions in the Directories pane. 5. Accept or reject the recommendations as required. Note: If the Remove protection without unique permissions and Add protection with copy permissions from parent commands are created on a folder together, only the remove permission commands related to actual removed permissions are displayed. The add permission commands that result from the add protection action are not seen. The error is calculated only if the total effective permissions resulting from the remove and add protection commands are not enough based on the events. 6. Refer to the following: File Server - The file server where the folder to which the user has access errors resides. Access Path - The path of the folder or the special file to which the user has an access error. User/Computer - The name of the user/computer that has access errors to the folder. Current Effective Permissions - The current effective permission the user has on the folder in Existing Set. Recommended Effective Permissions - The effective permission that the user has on the folder in the Admin Set based on either all the commands in the Admin Set. Missing Permission Required by Events - The aggregated effective permission that is required to the users based on the events they recently performed, and will no longer be able to perform because of the editing commands (the caused error) affecting the permissions of the folder/file. Change Source - Change the sources by opening the Permission Sources window. Time of Error - The date and time when the access error was calculated (based on IDU server time). Viewing Edit History The Editing History tab displays the history of all changes made to permissions or group membership during the time period that was analyzed. 265

275 Chapter 7 REVIEW AREA To view the history of changes to permissions: Select the Review Area. In the bottom pane, select the Editing History tab. The history of changes to permissions is displayed. Use DatAdvantage's standard sorting and grouping functions to locate the data you need quickly. 266

276 8 STATISTICS VIEW The Statistics view allows you to review the cumulative data collected by the DatAdvantage Probe. At the end of each day, DatAdvantage generates the information required to view statistics. The data is available for viewing the day after the events were recorded and collected, and remains available for direct access until it is archived. The Statistics view comprises the following panes: Directories Users and Groups Search Graphs Generating Statistics for Resources Use the Resources drop-down list to view information regarding the resource you selected for monitoring. The displayed statistics include all the events for the resource, for the specified timeframe. Select the Statistics view. Select the Resources drop-down list. In the Resources drop-down list, locate the resource for which you want to view statistics. 4. In the Calendar area, select Graph or Table, depending on the type of output you want to view. 267

277 Chapter 8 STATISTICS VIEW Generating Resource Statistics for Activity By Date This chart displays the activity per day for a selected resource. Use it to identify overall usage patterns, as well as days with unusual activity that require further investigation. To view statistics on activities according to a particular date: Select the relevant resource and generate statistics for it. In the center pane, click the Activity by Date tab. The Activity by Date chart is displayed. To focus on a single day, click that day's column in the chart. The date selection changes to display only that day, enabling you to select users, directories and files to continue reviewing the day's activity. Graph view: Table view: Generating Resource Statistics for Directory Utilization This chart represents the number of events on each entity, including its subdirectories and special files. To view statistics on average directory utilization: Select the relevant resource and generate statistics for it. In the center pane, click the Directory Utilization tab. The Directory Utilization chart is displayed. 268

Chapter 8 STATISTICS VIEW Click each directory or file to drill down and view its utilization. The directories and files are displayed are from all the volumes of the selected resource.

278 Chapter 8 STATISTICS VIEW Click each directory or file to drill down and view its utilization. The directories and files are displayed are from all the volumes of the selected resource. They are not categorized into volumes, as they are in the Directory pane displayed in the Work Area. The current directory or file is displayed at the top of the chart as the Parent Directory or File. If you cannot click a directory, no further drill-down is possible. This occurs either because there are no subdirectories, or because no events were logged for any subdirectory. 4. Color-coding indicates the entity type: Yellow - Current directory Purple - Subdirectories Blue - Special files Click the Back button at the top left of the chart to return to a higher level. Graph view: Table view: Generating Resource Statistics for User Utilization This chart provides a view of events per user for the selected timeframe, filtered by default to the top 10 most active users. The chart displays only users, not groups. Use this chart to easily identify 269

279 Chapter 8 STATISTICS VIEW abnormal user behavior. Your attention should be drawn to users with unexpectedly high event counts. To view statistics on user utilization: Select the relevant resource and generate statistics for it. In the center pane, click the User Utilization tab. The User/Group Utilization chart is displayed, filtered by default to the top 10 most active users. 4. In the filter area, do the following: a. Select Ascending or Descending to sort the users as required. b. Use the Up and Down arrows to select the number of users you want to view. Click a user to drill down and create user statistics, as if the user were selected in the Users & Groups pane. Graph view: Table view: Generating Resource Statistics for Inactive Users This chart provides a view of the period of greatest inactivity, per user, for the past seven days. 270

Chapter 8 STATISTICS VIEW To view statistics on inactive users: In the center pane, click the Inactive Users tab. The Inactive Users chart is displayed.

280 Chapter 8 STATISTICS VIEW To view statistics on inactive users: In the center pane, click the Inactive Users tab. The Inactive Users chart is displayed. Graph view: Table view: Generating Resource Statistics for Least Active Users This chart provides a view of the percentage of users (filtered by default to the top 10 least active users) that had no activity in comparison to all users in the domain. To view statistics on least active users: Select the relevant resource and generate statistics for it. In the center pane, click the Least Active Users tab. The Least Active Users chart is displayed, filtered to the top 10 least active users. In the filter area, use the Up and Down arrows to select the number of users you want to view. 4. Click a user to drill down and create user statistics, as if the user were selected in the Users & Groups pane. Graph view: 271

Chapter 8 STATISTICS VIEW Table view: Generating Resource Statistics for Unmanaged Directories and Resources This chart provides a view of the managed directories and resources having the most

281 Chapter 8 STATISTICS VIEW Table view: Generating Resource Statistics for Unmanaged Directories and Resources This chart provides a view of the managed directories and resources having the most activity compared to unmanaged directories and resources. It includes the number of events at the first subdirectory level beneath the selected level. To view activity statistics for unmanaged directories and resources: In the center pane, click the Activity on Unmanaged Directories and Resources tab. The Activity on Unmanaged Directories and Resources chart is displayed. Graph view: 272

Chapter 8 STATISTICS VIEW Table view: Generating Statistics for Directories The Directory pane enables you to focus on the activity on a specific directory or file, based on dates, subdirectories and

282 Chapter 8 STATISTICS VIEW Table view: Generating Statistics for Directories The Directory pane enables you to focus on the activity on a specific directory or file, based on dates, subdirectories and users. If you identify activity that requires further examination, use the Users Accessed chart or Log view to retrieve the required information. Select the Statistics view. Select the Directories pane. In the Directories pane, locate the directory or file for which you want to view statistics. 4. In the Calendar area, select Graph or Table, depending on the type of output you want to view. Generating Directory Statistics for Activity By Date This chart displays the activity for a directory or file on the specified day. Use it to identify overall usage patterns, as well as days with unusual activity that require further investigation. Access to the directory, its subdirectories and files is differentiated by color. 273

283 Chapter 8 STATISTICS VIEW To view statistics on activities according to a particular date: Select the relevant resource and generate statistics for it. In the center pane, click the Activity by Date tab. The Activity by Date chart is displayed. To focus on a single day, click that day's column in the chart. The date selection changes to display only that day, enabling you to select users, directories and files to continue reviewing the day's activity. Graph view: Table view: Generating Directory Statistics for Subdirectories This chart is similar to the Directory Utilization chart at the resource level, in that it displays the distribution of events between subdirectories within the current directory. For Exchange resources, the chart displays bars for the selected resource's mailbox store and public folders. With drill-down through the mailbox store, the bars display the same alphabetical grouping that is used in the Directories pane. Further drill-down displays the actual mailboxes. To view statistics on subdirectories: Select the Statistics view. In the center pane, click the Subdirectories Statistics tab. The Subdirectories Statistics chart is displayed. To focus on a single day, click that day's column in the chart. The date selection changes to display only that day, enabling you to select users, directories and files to continue reviewing the day's activity. 274

284 Chapter 8 STATISTICS VIEW Graph view: Table view: Generating Directory Statistics for User Access This chart displays the distribution of users accessing the directory or file under review. The colorcoded pie chart displays the percentage of events for each user. To view statistics on user access: Select the Statistics view. In the center pane, click the User Access tab. The User Access chart is displayed. For slices labeled X%-Y% of events (instead of a user's name), click the slice to drill down to more detailed pie charts displaying the slice's activity breakdown. A small chart on the left displays the current chart as an inset of the chart one level above. 4. To return to the main chart, click Back. Graph view: 275

Chapter 8 STATISTICS VIEW Table view: Generating Directory Statistics for Inactive Users This chart provides a view of the period of greatest inactivity, per user, for the

285 Chapter 8 STATISTICS VIEW Table view: Generating Directory Statistics for Inactive Users This chart provides a view of the period of greatest inactivity, per user, for the past seven days. To view statistics on inactive users: In the center pane, click the Inactive Users tab. The Inactive Users chart is displayed. Graph view: Table view: 276

Chapter 8 STATISTICS VIEW Generating Directory Statistics for Least Active Users This chart provides a view of the percentage of users that had no activity in the directory in comparison to all users

286 Chapter 8 STATISTICS VIEW Generating Directory Statistics for Least Active Users This chart provides a view of the percentage of users that had no activity in the directory in comparison to all users in the domain. To view statistics on least active users: Select the relevant resource and generate statistics for it. In the center pane, click the Least Active Users tab. The Least Active Users chart is displayed, filtered to the top 10 least active users. In the filter area, use the Up and Down arrows to select the number of users you want to view. 4. Click a user to drill down and create user statistics, as if the user were selected in the Users & Groups pane. Graph view: Table view: 277

Chapter 8 STATISTICS VIEW Generating Directory Statistics for Inactive Directories This chart indicates the number of directories and subdirectories with no activity compared to selected directories.

287 Chapter 8 STATISTICS VIEW Generating Directory Statistics for Inactive Directories This chart indicates the number of directories and subdirectories with no activity compared to selected directories. Only top-level directories of inactive branches are calculated. The number of subdirectories in each appears in parentheses ( ). To view statistics on inactive users: In the center pane, click the Inactive Directories tab. The Inactive Directories chart is displayed. Graph view: Table view: Generating Directory Statistics for Managed Folders This chart provides a view of the managed directories having the most activity, compare to the unmanaged folders, and includes the number of events at the first subdirectory level beneath the selected level. To view activity statistics for managed folders: In the center pane, click the Activity on Managed Folders tab. The Activity on Managed Folders chart is displayed. Graph view: 278

Chapter 8 STATISTICS VIEW Table view: Generating Statistics for Users and Groups The Users and Groups pane enables you to focus on the activity of a specific user or group, based on dates,

288 Chapter 8 STATISTICS VIEW Table view: Generating Statistics for Users and Groups The Users and Groups pane enables you to focus on the activity of a specific user or group, based on dates, directories, files and group membership. Select the Statistics view. Select the Users and Groups pane. In the Users and Groups pane, locate the entity (user or group) for which you want to view statistics. 4. In the Calendar area, select Graph or Table, depending on the type of output you want to view. Generating User and Group Statistics for Activity By Date This chart for users and groups is similar to the other activity history charts, in that it displays the activity for a given user or group per day. Use this chart to identify overall usage patterns, as well as days with unusual activity that require further investigation. Access to the directory, its subdirectories and files is differentiated by color. To view statistics on activities according to a particular date: Select the relevant resource and generate statistics for it. In the center pane, click the Activity by Date tab. The Activity by Date chart is displayed. To focus on a single day, click that day's column in the chart. The date selection changes to display only that day, enabling you to select users, directories and files to continue reviewing the day's activity. 279

289 Chapter 8 STATISTICS VIEW Graph view: Table view: Generating User and Group Statistics for Directory Utilization This chart is similar to the Directory Utilization chart at the Resource level, in that it displays the distribution of events between subdirectories and files within the current directory. To view statistics on average directory utilization: Select the relevant resource and generate statistics for it. In the center pane, click the Directory Utilization tab. The Directory Utilization chart is displayed. Click a directory to drill down for further information regarding utilization of each subdirectory or file. Graph view: 280

Chapter 8 STATISTICS VIEW Table view: Generating User and Group Statistics for User Activity This chart displays the distribution of users accessing the directory or file under review.

290 Chapter 8 STATISTICS VIEW Table view: Generating User and Group Statistics for User Activity This chart displays the distribution of users accessing the directory or file under review. The colorcoded pie chart displays the percentage of events for each user. This chart is only available for groups. To generate statistics for users and groups: In the center pane, click the User Activity tab. The User Activity Folders chart is displayed. Graph view: 281

Chapter 8 STATISTICS VIEW Table view: Jumping to Other Views from the Statistics View DatAdvantage enables you to move easily from the Statistics view to another view, while maintaining your focus on

291 Chapter 8 STATISTICS VIEW Table view: Jumping to Other Views from the Statistics View DatAdvantage enables you to move easily from the Statistics view to another view, while maintaining your focus on a specific entity. For example, you might want to see the events log for a particular user after you notice that user's behavior in the Statistics view. You can move quickly to the user's events log without having to search for him or her in the Logs view. If you jump to the Logs view, the log is automatically loaded with the relevant filters, so that it reflects the events that comprise the selected graph portion. BEST PRACTICE: It is important to emphasize that Varonis recommends you always start with the Statistics view, identify the interesting information, and then drill down to the required log. This provides the best system performance, and is the best workflow for smart usage of logs for auditing purposes. To jump to another view from the Statistics view: While you are working in the Statistics view, right-click the bar or pie slice for the entity in question. A context menu is displayed, listing the views to which you can jump. Select the required view. DatAdvantage jumps to that view, while maintaining focus on the entity with which you are working. 282

292 Chapter 8 STATISTICS VIEW About Ownership Management Through the Statistics View The Statistics view enables ownership management as follows: Owners can be set automatically for the directories and groups for which statistics are displayed, but only if entity usage statistics exist for both the user to be defined as owner and the directory or group in question. If information is missing for either the user or the entity, ownership can be managed through the Ownership wizard. It cannot be set automatically. Note: This has no relevance for directory service probing. Setting Owners Automatically To set an owner automatically: From the Users and Groups pane or the Directories pane, select the group or the directory for which you want to set an owner. In the Graphs pane, select User Activity. A pie chart indicating usage per user is displayed. Right-click the pie slice for the user you want to set as owner. A context menu is displayed. 4. Select Set Ownership. A confirmation message is displayed, asking you to confirm setting the selected user as owner of the selected entity. 5. Click Yes. The user is set as the entity's owner Drill-down Operations for Statistics DatAdvantage enables you to move easily from the Statistics view to the related log in the Logs view, by right-clicking the relevant chart segment in the Statistics view. 283

293 Chapter 8 STATISTICS VIEW Object Graph Segment Query Limitations Resource Activity by date Date/segment bar Events on selected resources on selected timeperiod bar Cannot be grouped by day of week Directory utilization Directory Jump only to the Logs view Directory bar Events where dirid = selected Subdirectories bar Events where accesspath like 'selected\ %' User utilization User bar Events on selected resources for selected SID Inactive users N/A Least active users N/A Activity by Date Selected directory bar Events where dirid = selected Cannot be grouped by day of week. Subdirectories bar Events where accesspath like 'selected\ %' Jump only to the Logs view Directory bar Events where dirid = selected Subdirectories bar Events where accesspath like 'selected\ %' Subdirectory statistics Jump only to the Logs view Jump only to the Logs view 284

294 Chapter 8 STATISTICS VIEW Object Group Graph Segment Query Limitations User access User slice Events where accesspath like selected and sidid = selectedslice Not available for group slices Inactive Users N/A Lease active users N/A Inactive Directories N/A Activity by date Date/segment bar Events on selected resources on selected timeperiod bar, for the selected group Cannot be grouped by day of week Directory utilization User Jump only to the Logs view Directory bar Events where dirid = selected and group= selected Subdirectories bar Events where accesspath like 'selected\ %' and group = selected Jump only to the Logs view User activity User slice Events on selected resource(s) and sidid = selectedslice Not available for group slices Activity by date Date/segment bar Events on selected resources on selected timeperiod bar, for the selected user Cannot be grouped by day of week Jump only to the Logs view 285

295 Chapter 8 STATISTICS VIEW Object Graph Segment Query Directory utilization Directory bar Events where dirid = selected and userid= selected Subdirectories bar Events where accesspath like 'selected\ %' and userid = selected Limitations Jump only to the Logs view 286

296 9 LOGS VIEW The Logs view enables you to browse and search the event logs from all the monitored resources for a specific day, down to the level of a single event. The Logs view comprises the following panes: Log Directories pane Users and Groups pane Search pane Viewing Logs You can view the logs based on the entity you selected in the Entity Selection pane as follows: Resource - Displays all the events for a given resource. Directory - Displays all the events for a directory, subdirectories and files. OU - Displays all the events for a given OU. User or group - Displays the events for a specific user or group. To view a log: Select the Logs view. From the relevant pane, locate the entity whose log you want to view. Double-click the entity. The entity's data is loaded into the Search pane. Note: You may use only the Search and Advanced Search options if you want, without first selecting an entity. 287

297 Chapter 9 LOGS VIEW 4. In the Search pane, set the value of the criterion you want to search by. Options are: When did the event occur? - Select the time frame in which the event occurred. If you select Today, you must first synchronize events (select Tools > Log > Synchronize Latest Events). Note: It is not recommended to select Today as your time frame, as it may produce limited results and the synchronization process may have a negative effect on performance. Where did the event occur? - Select the resources you want to search in. What type of even occurred? - Select the checkboxes of the operations you are interested in. Who generated the event? - Click the Browse button to select users you are interested in. Directory filters Which object was accessed? - Click the Browse button to select a specific folder, file, user or group. Select the Search in child objects checkbox as necessary. Which files were accessed? - Type the names of specific files you are interested in. Use a comma (,) to separate names. Mail-related filters - Only for Exchange mailboxes Which user received the ? - Type the address of the mail recipient you are interested in. Who sent the mail? - Type the name of the mail sender you want to search for. Which file was attached? - Type the name of the file that was attached to the mail message. 5. What is the event item type? - Select the type of mailbox event you are interested in. To define more complex criteria, click Advanced Search and define the search string as required. Any criteria you have already defined in the simple search are populated automatically in the advanced search. See Advanced Searching. Computer accounts do not appear in any of the pickers. To search for a computer account, type the name of the computer in the relevant user filter. Note: For a complete description of all available filters, see DatAdvantage and SubProducts Filters. 6. To save your search criteria or load a saved search, click Save/Load Query Definitions and then select either Save or Load, as relevant. 7. When you are done setting search criteria, click the Search button. The relevant log file is displayed in the bottom pane. For information on all columns that can be displayed in the log, see Log Columns. 8. To navigate the log: Click Retrieve 200 More to view another 200 records. Important: This button retrieves the records at random, without regard to the first, last, next, sorted sets, data source (i.e., resource), etc. Each time the button is clicked, 288

Chapter 9 LOGS VIEW it retrieves another set of records at random, increasing the number of results by 200. For example, if you click the button once, 200 random records are retrieved.

298 Chapter 9 LOGS VIEW it retrieves another set of records at random, increasing the number of results by 200. For example, if you click the button once, 200 random records are retrieved. If you click it again, an entirely different set of 400 records is retrieved. Click Retrieve All to view all the records in the log (this may take some time). Use the Up and Down arrows next to the Page field to move to the required page of the log. Use the Up and Down arrows for the Records per page field to set the number of records displayed on each page of the log. 9. To view the log data for a single event, double-click the event's row in the log. The Event Details window is displayed, showing the event's data on the General tab. Note: The Event Details window shows information on all columns in the log. To add or remove log columns, see Adding and Removing Log Columns. 10. To view changes made to Group Policy Object (GPO) settings, select the GPO Changes tab. The GPO Changes tab is displayed, showing the GPO setting changes. Note: The GPO Changes tab is displayed only if GPO settings for that event were modified. 289

Chapter 9 LOGS VIEW Adding and Removing Log Columns To add or remove log columns: Do one of the following: a. From the toolbar, click Edit Columns. b. In the log pane, right-click the title row.

299 Chapter 9 LOGS VIEW Adding and Removing Log Columns To add or remove log columns: Do one of the following: a. From the toolbar, click Edit Columns. b. In the log pane, right-click the title row. A list of all available columns is displayed. To add a column, click a column that is not selected. The column is added to the log and the column list is closed. To remove a column, click a selected column. The column is removed from the log and the column list is closed. Note: The log must always include at least one column. 290

300 Chapter 9 LOGS VIEW Log Columns You can customize which columns are included in logs (for more information, see Adding and Removing Log Columns). You can also change the order in which the columns are displayed, sort columns, and group columns as required. For more information, see Working with Lists and Tables. Display preferences are automatically saved in the user's profile. The following table describes all columns and column types that can be included in the log: Column Name Description Affected Group Scope The scope of affected groups. Affected Group Type The type of the affected group. Affected Share Path The full path of the share. Changed Permission Audit events and history of differences events - The change that occurred. If a folder's protection or ownership was changed, this column is empty. Changed Permission Flags Commit Process ID The ID of the process in which the change was committed. Device IP Address The IP address of the user from which the event originated. Device Name The resolved hostname of the Device IP from which the event originated. Event Count The number of times a single event was logged. For example, if the same file was opened by the user several times in a single day, this field displays the total number of identical events. Event Description A detailed description of the event. Event ID The unique identifier of events occurring on the same ACL. The permission flags that were changed. If a folder's protection or ownership was changed, this column is empty. 291

301 Chapter 9 LOGS VIEW Column Name Description Event Operation Indicates what happened during the event. Also indicates access denied events, that is, events that failed because the user did not have sufficient permission. Note: Events may be marked incorrectly as access denied in the following cases: Folder access- When a folder is opened, an Open request is triggered for all the files within the folder. If file permissions are different from the folder's permissions, a false access denied event is recorded. A single event is presented for all the files within the folder. Missing events - If a file requires both Write and Read permissions in order to open it, access denied events are not recorded for the file's Open events. Events generated by the operating system or installed application - The operating system or installed applications may generate events that are marked as Open events. For example, Windows opens image files to support its thumbnail functionality. These false positives are filtered by default, to minimize "noise" as much as possible. Note: Access events that are denied due to lack of share permissions are not recorded. Event Status Indicates whether the event was successful or not. Event Time The time, as configured on the file server, at which the event occurred. Event Type The type of operation performed on the entity. File Server/ Domain The name of the file server or domain on which the event occurred. File Type Indicates the file type, if known. Includes Guest Link Files in SharePoint Online that have a guest link. Inherited Permission Change Indicates whether the change in permissions was inherited. Last Occurrence The last time the event was logged. 292

302 Chapter 9 LOGS VIEW Column Name Description Number of Nested Files in Deleted Folder The number of nested files contained in a deleted folder. Object The display name of the object on which the event occurred. Object Type The type of object on which the event occurred, which can be: File Folder Group User Operation By The name of the user who performed the event. Operation Source The source of the event, which can be: Log - User events History - Differences retrieved by FileWalk and ADWalk Path The path name of the accessed object. For directory service objects, this is the distinguished name. Permissions After Change Permissions Before Change Audit events - The permissions that existed on the object following the change. History of differences events - This column is empty. Audit events - The permissions that existed on the object prior to the change. History of differences events - This field is empty. Shared Externally Files, folders and sites in SharePoint Online that are shared with external users. Size of Deleted Folder (in MB) Filters according to the specified size of deleted folders. Trustee The name of the user (in the format Domain\Username) that was granted permission. The column is empty if a folder's protection was changed in a Protection Added or Protection Removed event. The name of the new owner (in the format Domain\Username) if ownership was changed in an Owner Changed event. 293

303 Chapter 9 LOGS VIEW Column Name Description Trustee Account Type Indicates the type of account for which permissions have changed (i.e., a user, group or a computer). UTC Time The UTC time at which the event occurred. Account Management By default, the following columns can be added to the log: Note: Separate columns can be added for acting object and affected object. Account with Expiration Date - The name of an account on which an expiration date has been set. Disabled Stale Account - The name of an account that is both disabled and stale. Enabled Stale Account - The name of an account that is enabled but stale. Enabled User with Account about to Expire - The name of a user that is enabled, but whose account is about to expire. Enabled User with Expired Passwords - The name of a user that is enabled, but whose password has expired. Enabled User with Password about to Expire - The name of a user that is enabled, but whose password is about to expire. Locked-out User - The name of a user who is locked out of the system. Stale Account - The name of an account that is stale. User with Expired Passwords - The name of a user whose password has expired. User with Password that Never Expires - The name of a user whose password never expires. 294

304 Chapter 9 LOGS VIEW Column Name Description AD Properties By default, the following Active Directory properties can be added as columns to the log: Note: Separate columns can be added for acting object and affected object. AccountExpires - The date when the account expires. Company - The user's company name. CountryCode - Specifies the country/region code for the user's language of choice. CountryName - The country/region in the address of the user. CurrentLocation - The computer location for an object that has moved. Department - The name of the department in which the user works. description - The description to display for an object. Disabled Accounts - The name of disabled user and group accounts, as set in Active Directory Display Name - The display name for an entity. Division - The user's division. Domain Name - The domain name of the entity that performed the event. - The of the entity, as defined in Active Directory givenname - The given name (first name) of the user. initials - The initials for parts of the user's full name. ipphone - The TCP/IP address for the phone. LastLogonTimestamp - The time at which the user last logged into the domain. LDAP path - The path of the LDAP server. LocalityName - Represents the name of a locality, such as a town or city. Location - The user's location, such as office number. LockoutTime - The date and time (UTC) at which an account was locked out. Logon Name - The user's logon name. managedby - The distinguished name of the user that is assigned to manage this object. manager - The distinguished name of the user who is the user's manager. Manager Name - The name of the user's manager mobile - The primary mobile phone number. msds-isgc - Identifies the state of the Global Catalog on the DC. msds-isrodc - Shows whether a DC is an RODC. msds-sitename - Lists the site name that corresponds to the DC. msds-supportedencryptiontypes - The encryption algorithms supported by user, computer or trust accounts. name - The relative distinguished name (RDN) of an entity. ObjectGuid - The unique identifier for an object. 295

305 Chapter 9 LOGS VIEW Column Name Description Operating System - The Operating System name, such as Windows X. Operating System Service Pack - The operating system service pack ID string (for example, SP3). Operating System Version - The operating system version string, for example, 4.0. OU Name - The name of the organizational unit to which the entity belongs. OU Path - The entity's position in the specified OU hierarchy. Personal Title - The user's title. Primary User Address - The user's primary mailing address. primarygroupid - Contains the relative identifier (RID) for the primary group of the user. Profile path - Specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path. PwdLastSet - The date and time at which the password for the account was last changed. sn - The last name (surname) of a user. Telephone Number - The primary telephone number. TextCountry - The country/region in which the user is located. title - Contains the user's job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS. User Type - The type of user account userprinicpalname - An Internet-style login name for a user based on the Internet standard RFC 82 WhenCreated - The date on which the object was created. Note: Additional AD properties can be defined in the Configuration window and then added as columns. 296

306 Chapter 9 LOGS VIEW Column Name Description Azure AD Properties By default, the following Azure Active Directory properties can be added as columns to the log: Note: Separate columns can be added for acting object and affected object. Classification Azure blockcredential - Indicates whether or not the user can log on to Azure Active Directory using the user ID. Azure cloudexchangerecipientdisplaytype Azure isblackberryuser - Indicates whether or not the user has a BlackBerry device. Azure islicensed - Indicates whether or not the user has licenses assigned. Azure issystem Azure lastdirsynctim - The date and time of the last directory synchronization (returned from users synced through Active Directory Domain Services synchronization). Azure licensereconciliationneeded Azure liveid - The user's unique login ID. Azure ObjectID - The user's unique ID. Azure overallprovisioningstatus Azure passwordresetnotrequiredduringactivate - Indicates whether or not a password must be reset when activated. Azure preferredlanguage - The user's preferred language. Azure softdeletiontimestamp Azure strongauthenticationproofuptime Azure strongpasswordrequired Azure stsrefreshtokensvalidfrom Azure userlandingpageidentifierforo365shell Azure userthemeidentifierforo365shell Azure usertype - The type of user. Azure validationstatus externalusersharesentto adress externalusersignin address Is Azure External User The following columns can be added to the log: Classification Results - The files and folders having classification results. Total Hit Count - The number of times a rule returns a result on a file. Total Hit Count (Inc. subfolders) - The sum of all results returned for all folders and subfolders that are identified by classification rules. 297

307 Chapter 9 LOGS VIEW Column Name Description Follow Up The following columns can be added to the log: Global Flags on Acting Object - Global flags defined for the acting object Global Flags on Affected Object - Global flags defined for the affected object Notes on Acting Object - Notes defined for the acting object Notes on Affected Object - Notes defined for the affected object Tags on Acting Object - Tags defined for the acting object Tags on Affected Object - Tags defined for the affected object FS Properties The following columns can be added to the log: Access Date - The date on which the file system object was accessed Create Date - The date on which the file system object was created Exchange Domain - The Exchange domain on which the event occurred File Count - The number of files the folder contains, not including files in subfolders FS Owner - The file system owner of the object Modify Date - The date on which the object was modified Number of Files in Subfolders - The number of files contained in subfolders, not including files residing directly under the folder Number of Nested Files - The number of files the folder contains, including all files in all subfolders Number of Nested Folders - The number of subfolders the folder contains Physical Size of Folder (in MB) Physical Size of Folder and Subfolders (in MB) Resource Type Size of Folder (in MB) - The size of the folder, without subfolders, in megabytes Size of Folder and Subfolders (in MB) - The total size of the folder in megabytes, including all subfolders Size of Subfolders (in MB) - The total size of all the subfolders contained in the folder, in megabytes Total Number of Nested Objects - The number of nested folders and files 298

308 Chapter 9 LOGS VIEW Column Name Description Mail Properties The following columns can be added to the log: (Only available for Exchange resources.) Attachment Name - The name of a file (if any) that was attached to the mail Exchange Client Type - The type of client used to access the mailbox Mail Date - The date on which the mail was sent Mail Item Type - The mail type, such as mail message, accept meeting, and task Mail Recipients - The addresses of the users who received the mail Mail Source - The address of the user that sent the mail Mail Access Type - The type of user who accessed the mailbox, which can be: Owner - The mailbox owner Non owner - All users except the mailbox owner Exporting Log Results To export the log results to an Excel spreadsheet: On the toolbar, click Export Results. The Save As dialog box is displayed. Save the spreadsheet. Saving Log Results To save the log results to an Excel spreadsheet: On the toolbar, click Save/Load > Save. The Save As dialog box is displayed. Save the log as necessary. Loading Log Results To load a log into the UI for viewing: On the toolbar, click Save/Load > Load. The Open dialog box is displayed. Select the required log and click OK. Printing Logs To print a log: On the toolbar, click Print. To preview the log, select Print Preview. To print the log, select Print. 299

309 Chapter 9 LOGS VIEW Minimizing and Maximizing the Query Pane To minimize or maximize the query pane: On the toolbar, click Minimize Query or Maximize Query as relevant. Jumping to Report a.01 After you define filters for the log, you can jump to report a.01 and use those filters to quickly create a template or subscription. When you jump to report a.01 from the Log View, the defined filters are automatically loaded into the report's Filters pane. Note: This function is available only to users who have the Report View role. In addition, those having the Enterprise Managers, System Administrator, Power User or Users roles can generate alerts from the Log view if they also have the DatAlert Configuration role. To jump to report a.01: Define the required Advanced Search criteria, or load a DatAlert rule. On the toolbar, click Jump to Report a.0 Report a.01 is displayed, with all the filters loaded that you defined in the Log View. 300

310 10 ALERTS VIEW DatAdvantage tracks the number of access events generated by each user on a daily basis. Access events include, among other actions, opening, creating, deleting, and moving (renaming) files or directories. Each night, DatAdvantage calculates the daily average for each user's access events over the previous 60 days (the time period is configurable), as well as the standard deviation of each user's daily access events. If, on any given day, the total number of a user's access events "spikes," or is greater than that user's daily average by more than a multiple (coefficient, by default=3) of his or her standard deviation, and the user exceeded the threshold (by default = 10,000), DatAdvantage generates an alert, which is displayed in the Alerts view. The severity of an alert is dictated by the number of consecutive days on which the alert was generated for the specific user. That is, if a user creates an alert three days in a row, one alert is written with a severity of The maximum severity is set to 8. Example When the alerts settings are configured as follows: Alert utilization coefficient - set to 3 Alert utilization threshold - set to 1,000 Alert configuration period - set 4 days and the user generates the following events: Day 1-1,000 events Day 2-1,050 events Day 3-1,100 events Day 4-1,150 events If on day 5 the user generates 1,300 events, DatAdvantage generates an alert because the user exceeded his or her daily average by 5 times the standard deviation (greater than the set Alert utilization coefficient) and created more than 1,000 events (greater than the set Alert utilization threshold). The Alerts view comprises the following panes: Calendar Alerts List Activity By Date 301

311 Chapter 10 ALERTS VIEW Viewing Alerts To view alerts: Select the Alerts view. Set the required timeframe. In the Resources drop-down list, locate the resource for which you want to view statistics. 4. Double-click the resource you want to review. Alternatively, click the Search button in the Calendar pane. Alerts for the specified timeframe are displayed. 302

312 Chapter 10 ALERTS VIEW Alerts provide the following information: 5. Type - The entity for which the alert was generated. Possible types: User Group Entity Name - The name of the entity for which the alert was generated. Alert Type - The type of alert. Alert Name - The name of the alert. Start Date - The date on which the unusual behavior began. End Date - The date on which the unusual behavior ended. Severity - The severity of the unusual behavior. Use DatAdvantage's standard sorting and grouping functions to locate the data you need quickly. 6. In the Activity By Date pane, click the column for a specific date to view information for that day. 303

313 Chapter 10 ALERTS VIEW 7. Use the Alerts report subscription option to receive regular reports regarding alerts in your system. About Alert Analysis DatAdvantage creates a baseline of normal activity for each user. Therefore, most alerts deserve investigation. There are several causes for spikes in user activity. Any of these (and many other) examples may cause an alert in DatAdvantage: A user or administrator has modified the permissions on a directory and all the files and subfolders within that directory. A user or administrator has copied a large number of files to or from the server. An automated process has been executed with a user account, such as a batch process, an indexer service, a worm or other malware. DatAdvantage typically generates a handful of alerts each day, which can usually be investigated in a short period of time. When you do your daily review of the DatAdvantage alerts, it is helpful to double-click each alert to determine the following: Was the alert generated by a privileged or administrative account? Was the activity deviation thousands or tens of thousands of events? If the answer to either or both of these questions is yes, the alert probably deserves investigation. 304

314 Chapter 10 ALERTS VIEW Analyzing Alerts To analyze an alert: Click the bar corresponding to the day on which the alert was generated to jump to the Statistics view. The directories that were accessed are displayed. Check the Logs view for additional information. The Logs view displays the files that were accessed, and indicates whether they were opened, deleted, moved, and so on. Inappropriate Access While DatAdvantage makes identifying the technical cause of a usage spike simple, it can sometimes be more difficult to discern whether the activity was appropriate or inappropriate, well-intentioned or otherwise. Until clear policies and processes concerning appropriate and inappropriate access are created, distributed, and reviewed, it is usually best to adopt a methodology similar to the following: Determine a list of directories containing critical or sensitive files, and the parties responsible for them (that is, their owners). Agree on a process to handle alerts concerning sensitive data with the data owners. This might include notification, generation of activity reports, and so on. When an alert arises concerning sensitive data, follow the agreed upon process. 4. When a user or administrator account generates an alert on any other (non-sensitive) data and the cause is unknown or not easily discernible, ask the user or administrator in question if they know what might have caused a spike in his or her activity. 5. If the cause still cannot be determined and the pattern is repeated, consider asking the user to change his or her password. 305

315 11 REPORTS VIEW The Reports view enables you to define reports to be sent periodically (or only once) by , or be stored on a file system share. You can also view reports online, and store snapshots of important reports. This view comprises the following panes: Reports List My Subscriptions Viewer - Includes the following panes: Search conditions Help display Table view For a complete description of all reports available in DatAdvantage, see Metadata Framework Reports. About the Reports List The Reports List is an interactive list of reports, along with both predefined and customized templates. You can: Filter the list Set simple search criteria to find reports quickly Show and hide report categories Group and sort the reports list by any list header Expand and collapse the grouped list Finding Reports in the Reports List DatAdvantage provides dozens of useful reports to enable complete visibility into your data. Set search criteria to find reports according to the following guidelines: In the Find Report field, type the terms by which you want to search. The search is carried out on the following fields: Template name Template description ID column (even if the view mode is not set to Hide Categories) Report name Report category The search is not case-sensitive. Use a plus sign (+) to search for more than one term. For example, searching everyone + permissions returns all reports that include both everyone and permissions. 306

Chapter 11 REPORTS VIEW The categories and reports in the results are fully expanded following your search, regardless of other view options you may have set.

Using the Reports List To use the Reports List: Group and sort the list as necessary according to standard DatAdvantage procedures (see Working with Lists and Tables).

316 Chapter 11 REPORTS VIEW The categories and reports in the results are fully expanded following your search, regardless of other view options you may have set. To reload the full report list, click the X in the Find Report field or delete the input you entered. Using the Reports List To use the Reports List: Group and sort the list as necessary according to standard DatAdvantage procedures (see Working with Lists and Tables). To expand or collapse the grouped, sorted list, right-click a category and select Expand All Groups or Collapse All Groups, as relevant. To hide the report categories and view all report templates as a flat list, select View > Hide Categories. A flat list is displayed, regardless of other grouping, sorting or search criteria you may have set. To show report categories again, clear this option. 307

Chapter 11 REPORTS VIEW Accessing the DatAdvantage Operational Log The DatAdvantage Operational Log, report 8.b.01, provides complete visibility into activities performed within DatAdvantage itself.

317 Chapter 11 REPORTS VIEW Accessing the DatAdvantage Operational Log The DatAdvantage Operational Log, report 8.b.01, provides complete visibility into activities performed within DatAdvantage itself. There are two ways to access the log: Select Tools > DatAdvantage Operational Log. Report 8.b.01 is opened in the report viewer. Go to the Reports view and find report 8.b.01 in the Reports List. After you have accessed the DatAdvantage Operational Log, you can customize a template for it or create a subscription to it according to standard DatAdvantage procedures. About Report Templates DatAdvantage enables users with certain roles to define and customize report templates as necessary, so that they can create the most useful reports quickly and easily. With report templates, authorized users can start with a predefined template, and then: Set the default filters and filter values you want for the template. Choose the columns to be displayed in the report, based on: Directory service (Active Directory) properties File system properties Other available columns Set sorting and grouping options. Choose the look and feel of reports. Select predefined themes, including your own customized themes Use a custom logo in generated reports Set various display options for the selected columns. Upgrade During upgrade, subscriptions that were created before templates were introduced or customized are updated accordingly, such that new templates are created that include the relevant customizations. 308

Chapter 11 REPORTS VIEW Roles The following roles can customize report templates: Enterprise managers System administrators Users with the Reports view-based role Creating Report Templates To create

318 Chapter 11 REPORTS VIEW Roles The following roles can customize report templates: Enterprise managers System administrators Users with the Reports view-based role Creating Report Templates To create a report template: Select the Reports view. Locate the required report in the Reports List. Click the name of the report. The report is displayed in the Viewer. 4. Set filtering, column options and display options as necessary. 5. To run the report, click Run Report. 6. To save your template along with the filter you defined, click Save or Save As, as relevant. Important: If you change the configuration of a template, subscriptions to it are updated with everything except changes to filters. Note: If you make changes to a predefined template, you must click Save As to save it under a new name. Setting Template Filters To set filters for your template: In the Search pane, select the Filters tab and set filters as relevant. For complete instructions on setting filters, see Advanced Searching. 309

Chapter 11 REPORTS VIEW To export your filter definitions to an XML file for easy reuse, select Import/Export Filter > Export to File and save the file.

To save the filters as part of your template, click Save or Save As, as relevant.

319 Chapter 11 REPORTS VIEW To export your filter definitions to an XML file for easy reuse, select Import/Export Filter > Export to File and save the file. To import your saved filter definitions, select Import/Export Filter > Import from File and select the relevant file. 4. To save the filters as part of your template, click Save or Save As, as relevant. Important: If you change the configuration of a template, subscriptions to that template are updated with all changes except those made to filters. Note: If you make changes to a predefined template, you must click Save As to save it under a new name. Setting Template Columns To set columns for your template: In the viewer, select the Columns tab. From Available columns on the left, select the columns you want to add to the report and click the right arrow to move your choices to Your selection on the right. In the Your selection area, do the following as preferred: To group report results by a particular column, select the Grouped by check box for that column. To reorder columns, select a column to move and use the up and down arrows to set its position in the report. 4. Click Reset to restore the set of columns and groupings that were last saved with your template. Setting Chart Data for Metrics Note: The following procedure applies to reports 14.c.01 and 14.h.0 310

320 Chapter 11 REPORTS VIEW To set chart data for your template: In the viewer, select the Chart Data tab. The Chart Data tab is displayed. From the Available metrics on the left, select the metrics you want to add to the report and click the right arrow to move your choices to Your selection on the right. In the Your selection area, do the following as preferred: To change the line color for each metric, select the required color from the Color dropdown list for that metric. To change the line type for each metric, select the required color from the Line Type dropdown list for that metric. The following line types are available: Solid Dotted Dashed Note: By default, the color and line type for each metric are automatically selected. 4. To view the data labels on the Y axis of the line chart, select the Show data labels on chart check box on the top right of the Chart Data tab. 5. Click Reset to restore the set of metrics, colors and line types that were last saved with your template. Setting Chart Data for Business Units Note: The following procedure applies to report 14.i.01 only. To set chart data for your template: In the viewer, select the Chart Data tab. The Chart Data tab is displayed. 311

Chapter 11 REPORTS VIEW From the Business units selection on the left, do one of the following: Select the Top business units for the selected trend option and set the number of business units for

321 Chapter 11 REPORTS VIEW From the Business units selection on the left, do one of the following: Select the Top business units for the selected trend option and set the number of business units for display in the bar chart. Note: If selected, the bar chart will display the selected number of business units with the highest average metric values during the defined time period. An overview of business unit metrics is displayed in the bar chart. This option does not display the data according to the time period defined by the interval filter. Select the Manually select the business units option and do the following: Select the business units you want to add to the report and click the right arrow to move your choices to Your selection on the right. To change the color for each business unit, select the required color from the Color drop-down list for that business unit. Note: This step is optional. By default, the color for each business unit is automatically selected. Note: The Manually select the business units option is selected by default. To view the data labels on the Y axis of the bar chart, select the Show data labels on chart check box on the top right of the Chart Data tab. 4. Click Reset to restore the set of business units and colors that were last saved with your template. Setting Display Options To set display options for your template: In the viewer, select the Display tab. 312

Chapter 11 REPORTS VIEW In the General area, set the following: Template name - Enter a customized name for your template. Template owner - Click the Browse button to select an owner for the template.

322 Chapter 11 REPORTS VIEW In the General area, set the following: Template name - Enter a customized name for your template. Template owner - Click the Browse button to select an owner for the template. Only the template owner and Enterprise Manager (if configured) can edit and delete this template, or change the template owner. Description - Enter a free-text description for your template. In the Page Layout area, set the following: Title - From the drop-down list, select the report element to be used for your template's title. Options are: Report Name Template Name Subtitle - From the drop-down list, select the report element to be used for your template's subtitle. Options are: None - Select if you do not want a subtitle. Report Name Template Name Note: The Title and Subtitle options you set are also applied to your subscriptions for this template. Look and feel - If you have prepared a customized look and feel, select it from the dropdown list. Show in report - Select the report elements you want to show in your template: Description - Displays the template's description as part of the generated report Filter - Displays the filters you set as part of the generated report Logo - Displays the logo you choose (or the default Varonis logo) as part of the generated report Results grouping - Select your preferences for grouping the results returned in the generated report. Options are: Collapse groups Hide number of nested rows 313

323 Chapter 11 REPORTS VIEW Setting Privacy Options When you create or edit a template, you can select the users that can see it. Only users who have permission can: See the template in the Reports List Select the template in the subscription window The Privacy Settings tab is only visible to the template owner and the Enterprise Manager (if configured). To set privacy options for your template: In the viewer, select the Privacy Settings tab. From the drop-down list, select the users that can see the template. Options are: All users The template owner Note: See Setting Display Options for instructions on setting the owner. Keep in mind the Enterprise Manager may be able to see all templates and subscriptions, regardless of the setting you choose here. See the Management Console User Guide for more information. The template owner and the following users/groups - If you select this option, click the green plus sign to select the required users and groups. Importing and Exporting Report Filters If you have well-defined filters, you can export them to XML files for later use and import saved files. To export a defined filter: In the Search pane, click Import/Export Filter > Export to File. Save the file as required. To import a saved filter: In the Search pane, click Import/Export Filter > Import from File. Select the required file. The file is loaded into the Search pane. 314

324 Chapter 11 REPORTS VIEW Editing Report Templates Only user-defined templates can be edited. Default templates provided with DatAdvantage cannot be edited. Subscriptions to templates are automatically updated when the templates are edited, with the exception of changes to filters. To edit a defined report template: Expand the Reports List and select the customized report template you want to edit. Edit the template as required. Save the edited template. Deleting Report Templates Only user-defined templates can be deleted. Default templates provided with DatAdvantage cannot be deleted. If a template is deleted, any subscriptions defined for it are also deleted (a warning is provided). To delete a customized report template: Expand the Reports List and select the customized report template you want to edit. Click Delete. The template is deleted. Working with Reports Showing and Hiding the Report Search Pane To hide the report search pane: In the Search pane, click Hide Search. The Search pane is hidden. To show the report search pane when it is hidden: In the Search pane, click Show Search. The Search pane is displayed. Switching Report Views DatAdvantage provides two views in the Reports workspace: Help view - Provides instant access to the online help for the specific report you selected Table view - Provides an interactive view of the report data so that you can sort and group data effectively, to gain a better understanding of the results before generating a formatted report To switch report views: From the Help View (opened by default when you select a report), click the Table View button. The Table View is displayed. 315

325 Chapter 11 REPORTS VIEW From the Table View, click the Help View button. The Help View is displayed. Previewing Reports The report preview window displays the fully formatted report, not just the raw report data. To preview reports: Define the report criteria as required. In either the Search pane or the Table View, click Preview. Button in the Search pane - All report results are included in the preview Button in the Table View - Only the selected results are included in the preview The report preview is generated in a separate window. 316

Chapter 11 REPORTS VIEW On the report toolbar, use the following buttons to perform various activities with the report: - To navigate the report. - To stop rendering the generated report.

326 Chapter 11 REPORTS VIEW On the report toolbar, use the following buttons to perform various activities with the report: - To navigate the report. - To stop rendering the generated report. - To refresh the generated report. - To print the report. - To set the print layout. - To determine the page setup for the printed report. - To save the generated report to Word, Excel or PowerPoint. - To set the screen magnification. - To find specific text in the generated report. 4. Once column order and grouping options are defined, you can expand or collapse rows in the generated report as necessary: Working with the Table View To view search results in the Table View: In the Search pane, click Run. The report results are displayed in the Table View. 317

Chapter 11 REPORTS VIEW To quickly locate results containing a specific string: a. Select a cell in the grid that contains the relevant string. b. Right-click and select Copy from the context menu. c. Paste the copied string into the search bar above the grid.

327 Chapter 11 REPORTS VIEW To quickly locate results containing a specific string: a. Select a cell in the grid that contains the relevant string. b. Right-click and select Copy from the context menu. c. Paste the copied string into the search bar above the grid. The report results are filtered to display only results containing that string. To group report results: In the Search pane, select Group by for the columns by which you want to group results. a. The results in the Table View are grouped accordingly, and the headings of the grouped columns are displayed in the grouping area above the results. b. Alternatively, drag the relevant column heading in the Table View to the grouping area above the results. Report results are grouped accordingly, and the Group by option for that column is selected in the Table View. 4. To clear groupings, do one of the following: Clear the Group by option in the Search pane. Drag the relevant heading from the grouping area back to the results. The grouping is removed. 5. If you prefer, select specific rows for export or preview. Only the selected rows are included in the exported report or the preview. You must use the Preview button in the Table View for this; the Preview button in the Search pane generates a preview with all rows. 6. By default, all rows are selected. To view page breaks prior to printing, click Page Break. The printable area is displayed below the report results, indicating which columns will be printed on which page. Exporting Reports You can export reports to the following formats: CSV HTML 318

328 Chapter 11 REPORTS VIEW Excel PDF To export report data: Generate the report. If you prefer, select specific rows for export in the Table View. Only the selected rows are included in the exported report. (By default, all rows are selected.) In either the Table View or the report preview, select the required format from the Export drop-down list. 4. Save the exported report as required. Subscribing to Reports BEST PRACTICE For performance reasons, Varonis highly recommends you subscribe to reports so that you can receive them regularly by , instead of generating them directly in the Viewer. To subscribe to a report: In the Reports List or the Viewer, click the Subscription button. The Subscription dialog box is displayed. In the General area, set the following parameters: Name - Type a name for the subscription. Description - Type a free-text description of the subscription. Set the remaining subscription parameters for each tab as necessary. 4. To run the report subscription immediately, select Run immediately. 319

329 Chapter 11 REPORTS VIEW Delivery Parameters Tab The contents of the Delivery Parameters tab are determined by the option selected in the Delivered By parameter: Report Server - Simply send the report by . Report Server (Data-Driven) - Select to filter the report contents according to the recipient's owned objects, and send it by . Report Server File Share - Save the output report to file. Report Server File Share (Data-Driven) - Save the report subscription to a file system share according to the specified recipients' owned objects. With this option, a folder is created in the destination folder for each recipient and a copy of the report that contains only information relevant to that recipient is placed in the folder. Sending Reports by The Report Server - option enables you to send a report subscription to designated recipients. To send a report by From the Delivered by drop-down list, select Report Server . Select the Always send this report, even if empty option as required. Set the following parameters: To - Type the addresses of the recipients of the report (separated by a semi-colon). CC - Type the addresses of users to receive copies of the report (separated by a semicolon). BCC - Type the addresses of users to receive blind copies of the report (separated by a semi-colon). Reply - Type the address of the user sending the report. Subject - Type the subject line of the report. Display report data in the subject field - Select to display the template name and creation date as a prefix to the subject. If the subject field is otherwise empty, the report data is displayed as the subject. Include report - Select to include the actual report in the . Format - From the drop-down list, select the format in which the report is to be delivered (only if you chose to include the report with the ). Acrobat (PDF) file CSV (comma-delimited) file Excel (xls) Excel (xlsx) TIFF file Web archive XML Include link - Select to include a link to the report's location on the IDU server. 320

330 Chapter 11 REPORTS VIEW Note: The Include link option may be hidden by configuration. 4. Priority - From the drop-down list, select the relevant delivery priority. Comment - Type a free-text comment in the field as necessary. Click OK to close the subscription form, or click another tab to continue defining the subscription. Sending Data-Driven Reports by to Selected Recipients The Report Server (Data-Driven) option enables you to filter report contents according to the recipient's owned objects. For several reports, you can define subscriptions that include the data of both data owners and their subordinates. This hierarchical subscription means managers can view information regarding all the data for which they are ultimately responsible, without the need to be data owners themselves. To send the report only to selected owners (both users or groups - if the latter, first-level members will receive the ): Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do not provide activity information to group owners or domain custodians option is selected on the DatAdvantage Security page of the Management Console. From the Delivered by drop-down list, select Report Server (Data-Driven). Select the Always send this report, even if empty option as required. Choose Selected Recipients. 321

331 Chapter 11 REPORTS VIEW The Recipients box is displayed, providing the following information: Owner Name - The name of the data or group owner that is selected to receive the report. Ownership Types - The types of entities for which the owner is responsible. Include Subordinates Data - Select to include the data owned by all the owner's subordinates in the report. (This option is only visible in reports supporting hierarchical subscriptions.) 4. Next to the Recipients box, click Add. The Directory Services Search dialog box is displayed. 5. Clear the Show only data owners option (which is selected by default) to restrict the search results to only data owners, and exclude their managers (who may not own data). Note: This option is only visible in reports supporting hierarchical subscriptions. 6. Add recipients as necessary. Select users and/or groups that are defined as resource/domain custodians. 7. Set the required settings: Subject - Type the subject line of the report. Display report data in the subject field - Select to display the template name and creation date as a prefix to the subject. If the subject field is otherwise empty, the report data is displayed as the subject. Include report - Select to include the actual report in the . Format - From the drop-down list, select the format in which the report is to be delivered (only if you chose to include the report with the ). Acrobat (PDF) file CSV (comma-delimited) file Excel (xls) Excel (xlsx) TIFF file Web archive XML Include link - Select to include a link to the report's location on the IDU server. Note: The Include link option may be hidden by configuration. 8. Priority - From the drop-down list, select the relevant delivery priority. Comment - Type a free-text comment in the field as necessary. Click OK to close the subscription form, or click another tab to continue defining the subscription. 322

332 Chapter 11 REPORTS VIEW Sending Data-Driven Reports by to Recipients Selected by Rules The Report Server (Data-Driven) option enables you to filter report contents according to the recipient's owned objects. To select report recipients according to a rule you define: Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do not provide activity information to group owners or domain custodians option is selected on the DatAdvantage Security page of the Management Console. > From the Delivered by drop-down list, select Report Server (Data-Driven). Select the Always send this report, even if empty option as required. Choose Recipients by rule. 4. From the AD Property dialog box, select the property by which the recipients are identified: 5. Display Name SAM Account Name In the Equals field, enter the actual recipients. Use a semicolon (;) to separate values. 323

333 Chapter 11 REPORTS VIEW 6. Set the required settings: Subject - Type the subject line of the report. Display report data in the subject field - Select to display the template name and creation date as a prefix to the subject. If the subject field is otherwise empty, the report data is displayed as the subject. Include report - Select to include the actual report in the . Format - From the drop-down list, select the format in which the report is to be delivered (only if you chose to include the report with the ). Acrobat (PDF) file CSV (comma-delimited) file Excel (xls) Excel (xlsx) TIFF file Web archive XML Include link - Select to include a link to the report's location on the IDU server. Note: The Include link option may be hidden by configuration. 7. Priority - From the drop-down list, select the relevant delivery priority. Comment - Type a free-text comment in the field as necessary. Click OK to close the subscription form, or click another tab to continue defining the subscription. 324

334 Chapter 11 REPORTS VIEW Sending Data-Driven Reports by to All Owners The Report Server (Data-Driven) option enables you to filter report contents according to the recipient's owned objects. To send a data-driven report by to all entity owners: Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do not provide activity information to group owners or domain custodians option is selected on the DatAdvantage Security page of the Management Console. From the Delivered by drop-down list, select Report Server (Data-Driven). Select the Always send this report, even if empty option as required. Choose All owners. Each owner will receive a portion of the report that corresponds to his managed objects. 4. Set the required settings: Subject - Type the subject line of the report. Display report data in the subject field - Select to display the template name and creation date as a prefix to the subject. If the subject field is otherwise empty, the report data is displayed as the subject. Include report - Select to include the actual report in the . Format - From the drop-down list, select the format in which the report is to be delivered (only if you chose to include the report with the ). Acrobat (PDF) file CSV (comma-delimited) file Excel (xls) Excel (xlsx) TIFF file Web archive XML Include link - Select to include a link to the report's location on the IDU server. Note: The Include link option may be hidden by configuration. 5. Priority - From the drop-down list, select the relevant delivery priority. Comment - Type a free-text comment in the field as necessary. Click OK to close the subscription form, or click another tab to continue defining the subscription. 325

335 Chapter 11 REPORTS VIEW About Data-Driven Reports for File Shares The Report Server File Share (Data-Driven) option enables you to send a report subscription to a file system share according to the specified recipients' owned objects. With this option, a folder is created in the destination folder for each recipient and a copy of the report that contains only information relevant to that recipient is placed in the folder. The folders are named according to the SAM account to ensure their uniqueness. They are granted Read permissions for the relevant owner, and inherit permissions from the selected destination folder. Each time the subscription is run, a new copy of the report is generated with a name that includes the date on which it was generated. Sending Reports to File Shares The Report Server File Share option enables you to send a report subscription to a file system share. To send a report to a file share: From the Delivered by drop-down list, select Report Server File Share. Select the Always send this report, even if empty option as required. Set the following parameters: File Name - Type the name of the file containing the report. Add a file extension when the file is created - Select this option to determine the type of file in which the report is saved. 326

336 Chapter 11 REPORTS VIEW Path - Click the Browse button to select the path on which the report resides. If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 1 For all subscriptions, two files are created: One small file in the specified render format, containing a 10-row random sampling of the report results. It is named as specified in the subscription. A CSV file is created, containing the entire report output. The full file has a suffix of _full. If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 0 If the report results exceed the maximum number of rows (configured in the Management Console): A small file is created in the specified render format, containing a 10-row random sampling of the report results. It is named as specified in the subscription. A CSV file is created, containing the entire report output. The full file has a suffix of _full. If the report results do not exceed the maximum number of rows, only a single file is created and saved to the share path, containing the complete report results. This file is in the specified render format. Render Format - From the drop-down list, select the format in which the report is to be delivered. Options are: Credentials used to access the file share - Enter the user name and password required to access the file share on which the report resides. Overwrite options - Select the relevant option: Overwrite an existing file with a newer version Do not overwrite the file if a previous version exists Increment file names as newer versions are added (according to the default SQL reporting naming conventions) 4. Click OK to close the subscription form, or click another tab to continue defining the subscription. 327

337 Chapter 11 REPORTS VIEW Sending Data-Driven Reports to File Shares for Selected Recipients The Report Server File Share (Data-Driven) option enables you to filter report contents according to the recipient's owned objects. For several reports, you can define subscriptions that include the data of both data owners and their subordinates. This hierarchical subscription means managers can view information regarding all the data for which they are ultimately responsible, without the need to be data owners themselves. To send a data-driven report to a file share for selected recipients: Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do not provide activity information to group owners or domain custodians option is selected on the DatAdvantage Security page of the Management Console. From the Delivered by drop-down list, select Report Server File Share (Data-Driven). Select the Always send this report, even if empty option as required. Choose Selected recipients. The Recipients box is displayed, providing the following information: Owner Name - The name of the data or group owner that is selected to receive the report. Ownership Types - The types of entities for which the owner is responsible. Include Subordinates Data - Select to include the data owned by all the owner's subordinates in the report. (This option is only visible in reports supporting hierarchical subscriptions.) 4. Next to the Recipients box, click Add. 328

338 Chapter 11 REPORTS VIEW The Directory Services Search dialog box is displayed. 5. Clear the Show only data owners option (which is selected by default) to restrict the search results to only data owners, and exclude their managers (who may not own data). Note: This option is only visible in reports supporting hierarchical subscriptions. 6. Add recipients as necessary. 7. Set the following parameters: File Name - Type the name of the file containing the report. Path - Click the Browse button to select the path on which the report resides. Within this path, a folder is created for each specified recipient. A copy of the report that contains only information relevant to that recipient is placed in the folder. If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 1 For all subscriptions, two files are created: One small file in the specified render format, containing a 10-row random sampling of the report results. It is named as specified in the subscription. A CSV file is created, containing the entire report output. The full file has a suffix of _full. If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 0 If the report results exceed the maximum number of rows (configured in the Management Console): A small file is created in the specified render format, containing a 10-row random sampling of the report results. It is named as specified in the subscription. A CSV file is created, containing the entire report output. The full file has a suffix of _full. If the report results do not exceed the maximum number of rows, only a single file is created and saved to the share path, containing the complete report results. This file is in the specified render format. Render Format - From the drop-down list, select the format in which the report is to be delivered. Options are: Credentials used to access the file share - Enter the user name and password required to access the file share on which the report resides. 8. Click OK to close the subscription form, or click another tab to continue defining the subscription. 329

339 Chapter 11 REPORTS VIEW Sending Data-Driven Reports to File Shares for Recipients Selected by Rules To send a data-driven report to a file share for recipients selected by rules: Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do not provide activity information to group owners or domain custodians option is selected on the DatAdvantage Security page of the Management Console. From the Delivered by drop-down list, select Report Server File Share (Data-Driven). Select the Always send this report, even if empty option as required. Choose Recipients by rule. 4. Set the following parameters: AD Property - From the drop-down list, select the property by which the recipients are identified: Display Name SAM Account Name Equals - Enter the actual recipients in this field.. Use a semicolon (;) to separate values. File Name - Type the name of the file containing the report. Add a file extension when the file is created - Select this option to determine the type of file in which the report is saved. Add timestamp (date and time) to the file name - Select this option to add the date and time at which the report was generated to the file name. 330

340 Chapter 11 REPORTS VIEW Path - Click the Browse button to select the path on which the report resides. Within this path, a folder is created for each specified recipient. A copy of the report that contains only information relevant to that recipient is placed in the folder. If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 1 For all subscriptions, two files are created: One small file in the specified render format, containing a 10-row random sampling of the report results. It is named as specified in the subscription. A CSV file is created, containing the entire report output. The full file has a suffix of _full. If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 0 If the report results exceed the maximum number of rows (configured in the Management Console): A small file is created in the specified render format, containing a 10-row random sampling of the report results. It is named as specified in the subscription. A CSV file is created, containing the entire report output. The full file has a suffix of _full. If the report results do not exceed the maximum number of rows, only a single file is created and saved to the share path, containing the complete report results. This file is in the specified render format. Render Format - From the drop-down list, select the format in which the report is to be delivered. Options are: Credentials used to access the file share - Enter the user name and password required to access the file share on which the report resides. 5. Click OK to close the subscription form, or click another tab to continue defining the subscription. 331

341 Chapter 11 REPORTS VIEW Sending Data-Driven Reports to File Shares for All Owners Selecting All owners automatically sends subscriptions to all the owners defined in DatAdvantage. Owners receive only the relevant sections of the report, based on their managed objects. To send a data-driven report to a file share for all owners: Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do not provide activity information to group owners or domain custodians option is selected on the DatAdvantage Security page of the Management Console. From the Delivered by drop-down list, select Report Server File Share (Data-Driven). Select the Always send this report, even if empty option as required. Choose All owners. 4. Set the following parameters: File Name - Type the name of the file containing the report. Add a file extension when the file is created - Select this option to determine the type of file in which the report is saved. Add timestamp (date and time) to the file name - Select this option to add the date and time at which the report was generated to the file name. Path - Click the Browse button to select the path on which the report resides. Within this path, a folder is created for each specified recipient. A copy of the report that contains only information relevant to that recipient is placed in the folder. If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 1 For all subscriptions, two files are created: One small file in the specified render format, containing a 10-row random sampling of the report results. It is named as specified in the subscription. A CSV file is created, containing the entire report output. The full file has a suffix of _full. If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 0 If the report results exceed the maximum number of rows (configured in the Management Console): A small file is created in the specified render format, containing a 10-row random sampling of the report results. It is named as specified in the subscription. A CSV file is created, containing the entire report output. The full file has a suffix of _full. If the report results do not exceed the maximum number of rows, only a single file is created and saved to the share path, containing the complete report results. This file is in the specified render format. Render Format - From the drop-down list, select the format in which the report is to be delivered. Options are: Credentials used to access the file share - Enter the user name and password required to access the file share on which the report resides. 5. Click OK to close the subscription form, or click another tab to continue defining the subscription. 332

342 Chapter 11 REPORTS VIEW Sending Data-Driven Reports to File Shares for Owners with Limited Visibility Due to security constraints, some owners may not be allowed to view the entire file system. Owners with such limited visibility can only create file system subscriptions for their personal use. They can also send data-driven subscriptions by to other owners. To create a data-driven report on a file share as a limited owner: Note: Data-driven subscriptions are not sent to group owners or domain custodians if the Do not provide activity information to group owners or domain custodians option is selected on the DatAdvantage Security page of the Management Console. From the Delivered by drop-down list, select Report Server File Share (Data-Driven). Select the Always send this report, even if empty option as required. Set the following parameters: File Name - Type the name of the file containing the report. Add a file extension when the file is created - Select this option to determine the type of file in which the report is saved. Add timestamp (date and time) to the file name - Select this option to add the date and time at which the report was generated to the file name. 333

343 Chapter 11 REPORTS VIEW Path - Click the Browse button to select the path on which the report resides. Within this path, a folder is created for each specified recipient. A copy of the report that contains only information relevant to that recipient is placed in the folder. If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 1 For all subscriptions, two files are created: One small file in the specified render format, containing a 10-row random sampling of the report results. It is named as specified in the subscription. A CSV file is created, containing the entire report output. The full file has a suffix of _full. If the ShouldAlwaysLimitReportServerExportOutputRows configuration key is set to 0 If the report results exceed the maximum number of rows (configured in the Management Console): A small file is created in the specified render format, containing a 10-row random sampling of the report results. It is named as specified in the subscription. A CSV file is created, containing the entire report output. The full file has a suffix of _full. If the report results do not exceed the maximum number of rows, only a single file is created and saved to the share path, containing the complete report results. This file is in the specified render format. Render Format - From the drop-down list, select the format in which the report is to be delivered. Options are: Credentials used to access the file share - Enter the user name and password required to access the file share on which the report resides. 4. Click OK to close the subscription form, or click another tab to continue defining the subscription. 334

344 Chapter 11 REPORTS VIEW Filter Configuration Tab On the Filter Configuration tab, configure the filters you require for the report subscription. Note that you can set filters for Active Directory properties that have been defined in the system. For complete instructions on setting filters, see Advanced Searching. Click OK to close the subscription form, or click another tab to continue defining the subscription. Scheduler Tab On the Scheduler tab, set the following parameters: Time Interval - From the drop-down list, select the interval at which the report is to be sent. This selection determines the content of the following area. Schedule - In this area, configure the frequency at which the report is sent. Start Time - Use the arrows to select the time at which the report is sent. Start Date - From the drop-down list, select the date on which delivery of the report is to begin. Stop this schedule on - Select this option to set an ending date for delivery of the report. End Date - From the drop-down list, select the date on which delivery of the report is to end. Click OK to close the subscription form, or click another tab to continue defining the subscription. 335

Chapter 11 REPORTS VIEW Managing Your Subscriptions The My Subscriptions pane provides the following information about your subscriptions: Type - Indicates whether the subscription is regular or

345 Chapter 11 REPORTS VIEW Managing Your Subscriptions The My Subscriptions pane provides the following information about your subscriptions: Type - Indicates whether the subscription is regular or data-driven (that is, reflects the recipient's owned objects Name - The name you gave the subscription Scheduler - The schedule by which the subscription is generated and delivered Subscription Owner - The person who defined the subscription (for enterprise managers only, who can see all the subscriptions in the system) Description - The free-text description of the subscription Last Run - The time at which the subscription was last generated Status - The status of the subscription's last run To manage your report subscriptions: In the Reports view, select the My Subscriptions pane. Your subscriptions are displayed in table form, one row per subscription (if you are an enterprise manager, the table displays all the subscriptions that have been defined in the system). 336

Chapter 11 REPORTS VIEW To add or edit a subscription: a. Click Add or Edit, as required. b. Define the subscription as necessary. To remove a subscription, select its row and click Remove. 4.

346 Chapter 11 REPORTS VIEW To add or edit a subscription: a. Click Add or Edit, as required. b. Define the subscription as necessary. To remove a subscription, select its row and click Remove. 4. To view execution history, select the relevant row and click Execution History. For data-driven reports, this button enables viewing historical data per run time for the subscription, including an indication of whether each recipient read the report. The number of executions can be set per owner. Older executions are deleted from the history. 337

METADATA FRAMEWORK Release Notes

METADATA FRAMEWORK Release Notes METADATA FRAMEWORK 6.3.190 Release Notes Publishing Information Software version 6.3.190 Document version 45 Publication date September 27, 2017 Copyright 2005-2017 Varonis Systems Inc. All rights reserved.