9
User Guide
Publishing Information
Software version
Document version
Publication date
5.9.70
13
May 31, 2013; updated July 23, 2014
Contents
1. Introduction.............................................................................................................1
Scope of This Guide............................................................................................................... 1
Terminology............................................................................................................................. 1
Related Documentation........................................................................................................... 4
2. Basic Concepts...................................................................................................... 5
Request Types........................................................................................................................ 5
About Data Access Requests...................................................................................... 5
About Group Membership Requests............................................................................6
About Direct Permission Requests.............................................................................. 7
About Authorization................................................................................................................. 7
About Entitlement Reviews..................................................................................................... 7
About DataPrivilege Roles...................................................................................................... 8
Multi-Domain Support..............................................................................................................9
Synchronization with Varonis DatAdvantage........................................................................ 10
About Automatic Rules..........................................................................................................11
Automatic Rules for Folders.......................................................................................11
Enforced Automatic Rules for Folders....................................................................... 15
Automatic Rules for Groups....................................................................................... 19
Enforced Automatic Rules for Groups....................................................................... 22
About Ethical Walls............................................................................................................... 24
DataPrivilege and Ethical Walls................................................................................. 24
Exceptions to Ethical Walls........................................................................................25
Ethical Walls Requiring Owner/Authorizer Approval.................................................. 25
Multi-Language Support........................................................................................................ 25
3. Getting Started.....................................................................................................27
Logging In..............................................................................................................................27
Graphical User Interface....................................................................................................... 27
Setting the Display Language...............................................................................................28
DataPrivilege Icons............................................................................................................... 29
Logging Out...........................................................................................................................31
Proprietary and Confidential of Varonis
iii
Contents
4. Data Ownership................................................................................................... 33
About Data Owners...............................................................................................................33
Working with Data Owner Views............................................................................... 33
Adding Managed Folders........................................................................................... 34
Creating New Subfolders........................................................................................... 38
Granting Users Permissions to Managed Folders..................................................... 41
Exporting Permissions on Managed Folders............................................................. 46
Adding Authorizers to Managed Folders....................................................................47
Adding Owners to Managed Folders......................................................................... 51
Adding Authorization Rules to Folders.......................................................................52
Adding Automatic Rules to Folders............................................................................54
Viewing Event Logs and History................................................................................ 57
Viewing Folder Statistics............................................................................................ 58
Synchronizing Managed Folders with the Database..................................................59
Using the Authorizer View..........................................................................................60
About Data Authorizers......................................................................................................... 63
Viewing Permissions on Managed Folders................................................................ 63
Removing Direct Permissions from Managed Folders...............................................64
5. Group Ownership.................................................................................................65
About Group Owners............................................................................................................ 65
Working with Group Owner Views............................................................................. 65
Using the Group Search Pane...................................................................................66
Adding Users to Groups.............................................................................................67
Adding Authorizers to Managed Groups....................................................................70
Adding Authorization Rules to Groups.......................................................................74
Adding Automatic Rules to Groups............................................................................76
Viewing Permissions on Managed Groups................................................................ 78
Viewing Event Logs and History................................................................................ 79
Viewing Group Statistics............................................................................................ 80
Synchronizing Managed Groups with Active Directory.............................................. 81
Using the Authorizer View..........................................................................................81
About Group Authorizers.......................................................................................................83
Viewing Permissions on Managed Groups................................................................ 83
6. Administration.......................................................................................................85
iv
Contents
Managing Groups..................................................................................................................85
Working with Group-Related Views........................................................................... 86
Using the Group Search Pane...................................................................................86
Adding Managed Groups and Owners at Once.........................................................87
Editing Managed Groups............................................................................................90
Resetting Managed Groups....................................................................................... 91
Managing Group Locations........................................................................................ 92
Adding Owners to Existing Groups............................................................................ 98
Adding Groups to Existing Owners............................................................................ 98
Viewing Group Details................................................................................................99
Setting Groups to Bypass the Authorization Process................................................ 99
Viewing Group Owner Details.................................................................................. 100
Removing Group Owners.........................................................................................101
Adding Authorizers to Groups.................................................................................. 101
Synchronizing Managed Groups with Active Directory............................................ 103
Managing Base Folders...................................................................................................... 103
Working with Data-Related Views............................................................................104
Adding Base Folder Locations................................................................................. 104
Adding Base Folders................................................................................................ 106
Adding Base Folders to Data Owners..................................................................... 110
Editing Base Folders................................................................................................ 110
Adding File Servers on the Fly................................................................................ 111
Moving Base Folders................................................................................................113
Removing Base Folders........................................................................................... 114
About Adding Data Owners..................................................................................... 114
Viewing Data Owner Details.................................................................................... 115
Removing Data Owners from Base Folders............................................................ 115
Managing Entitlement Reviews...........................................................................................116
Scheduling Entitlement Review Rules for Folder or Groups.................................... 116
Setting Exceptions to the Entitlement Request........................................................118
Cancelling Pending Entitlement Review Requests.................................................. 120
Contents
8. Authorization...................................................................................................... 143
Approving or Declining Requests........................................................................................143
Approving or Declining Requests through the Pending Requests Menu..................143
Approving or Declining Requests through Email..................................................... 145
Viewing and Approving Authorization Summaries.............................................................. 145
Approving Multiple Requests.............................................................................................. 147
About Performing Entitlement Reviews.............................................................................. 148
Performing Entitlement Reviews on Folders............................................................ 148
Performing Entitlement Reviews on Groups............................................................ 153
Contents
10. Reports.............................................................................................................167
Generating Reports in DataPrivilege.................................................................................. 167
Filtering Report Results............................................................................................167
Grouping Report Results..........................................................................................168
Sorting Report Results............................................................................................. 169
Using Extended Attributes to Retrieve Report Results............................................ 170
Scheduling and Subscribing to Reports..............................................................................170
Scheduling and Subscribing to Regular Reports..................................................... 170
Scheduling and Subscribing to Data-Driven Reports...............................................174
Viewing Defined Subscriptions............................................................................................178
Saving and Loading Report Criteria................................................................................... 178
vii
Contents
viii
1.
Introduction
Varonis DataPrivilege provides automated, audited and managed
authorization flows that interface with any system-related IT operation in the
organization.
Terminology
Proprietary and Confidential of Varonis
Term
Definition
ACL
Authorization rule
Authorizer
Authorizer 0
Automatic rule
Ethical Wall
Base folder
Base OU
Bypass group
authorization
Location
Introduction
Term
Definition
as US or EU), divisional (such as ENG or ACC), or
according any other criteria.
Managed folder
Managed group
Management
authorization
OU
Roles
Administrators
Data Owners
Data Authorizers
Group Owners
Group Authorizers
Floor Support
Users
Webmasters
Share
Traverse permissions
Trusting Domain
Term
Definition
Trusted Domain
Related Documentation
IDU Release Notes
IDU Suite Reports
DatAdvantage User Guide
DataPrivilege Bulk Upload Utility User Guide
2.
Basic Concepts
DataPrivilege provides automated, audited and managed authorization
flows that interface with any system-related IT operation in the organization.
DataPrivilege enables users to request operations (such as granting access
privileges) directly from business authorizers, and designate individuals to
make requests on behalf of other users.
Above all, DataPrivilege provides a framework for IT processes by defining
authorization scenarios that delegate IT authorization from the IT department
to the business unit, thereby establishing the business unit's accountability
for its managed resources.
Request Types
DataPrivilege enables creation and authorization of the following types of
requests:
Group membership
Basic Concepts
About Authorization
DataPrivilege enables owners to establish key authorization roles to ensure
accountability for the information they are responsible for.
Administrators
Administrators are IT specialists. They are responsible for defining and
managing the definitions of the following:
Other administrators
Locations
Base folders
Configuring DataPrivilege
Data Owners
Data owners are managers who are responsible for managed folders. This
includes the following activities:
Group Owners
Group owners are managers who are responsible for managed groups. This
includes the following activities:
Basic Concepts
Authorizers
Authorizers are responsible for approving or declining requests assigned to
them by the various types of owners. In addition, authorizers who possess
certain owner privileges can perform the following tasks:
Profile Authorizers
Authorizers are responsible for approving or declining requests assigned to
them by the various types of owners. In addition, authorizers who possess
certain owner privileges can perform the following tasks:
Floor Support
Floor Support personnel can view all requests whose status is Pending.
Users
Regular users use DataPrivilege to:
Multi-Domain Support
DataPrivilege supports the configuration of multiple domains, so that users
from one domain (the trusted domain) can access services in another
domain (a trusting domain).
Domain trusts may be either unidirectional or bidirectional. Unidirectional
trusts allow access to resources only from the trusted domain to the trusting
domain, while bidirectional trusts allow access in both directions.
Proprietary and Confidential of Varonis
Basic Concepts
The Active Directory properties of the user match the conditions defined
for the automatic rule.
The request is for granting the user access permissions to the folder.
11
The Active Directory properties of the user match the conditions defined
for the automatic rule.
12
Basic Concepts
The Active Directory properties of the user match the conditions defined
for the automatic rule.
13
The Active Directory properties of the user match the conditions defined
for the automatic rule.
14
Basic Concepts
15
16
Basic Concepts
17
18
Basic Concepts
The Active Directory properties of the user match the conditions defined
for the automatic rule.
The Active Directory properties of the user match the conditions defined
for the automatic rule.
19
The Active Directory properties of the user match the conditions defined
for the automatic rule.
20
Basic Concepts
The Active Directory properties of the user match the conditions defined
for the automatic rule.
21
22
Basic Concepts
23
24
Automatic rules can be defined that deny all access to a specific folder,
whether by group membership or direct permission.
The auto-approval feature can be disabled for automatic rules that are set
to be enforced automatically.
The Enforced Rules report lists all the actions (requests) carried out by
the automatic rules defined in the system, including rules that establish
ethical walls.
Basic Concepts
A user that would be affected by the wall meets the following conditions:
When the rule is flagged as "not automatically approved," all the requests
are created with a status of Pending.
Multi-Language Support
DataPrivilege enables you to select the language in which the user interface
is displayed. While the default language is the language selected upon
installation, you may choose any language that is available through the
Enterprise Installer.
Different users in an organization can view the user interface in different
languages simultaneously.
Available languages:
Czech
Dutch
English
Proprietary and Confidential of Varonis
25
26
French
German
Hebrew
Japanese
Russian
Swedish
3.
Getting Started
Logging In
To log in to DataPrivilege:
1. Start Internet Explorer.
2. In the Address bar, enter the required URL. Alternatively, click the
DataPrivilege link on the enterprise portal.
The main DataPrivilege screen is displayed.
Menu buttons at the top of the screen. The content pages of the menu
buttons can be customized as necessary.
Left menu bar, which provides users access to the various panes of the
workspace. The left menu bar includes the following menus:
27
28
Getting Started
DataPrivilege Icons
The following icons are used in the DataPrivilege graphical user interface:
Icon
Description
The entity was added to DataPrivilege.
The entity was added to DataPrivilege by an enforced automatic
rule.
References existing shares.
The entity has been changed and requires synchronization.
An error has occurred in the synchronization between
DataPrivilege and DatAdvantage.
DataPrivilege-DatAdvantage synchronization is pending.
The entity is recommended for removal by DatAdvantage.
The user's permissions have been edited.
The user has multiple inheritance, consisting of a group that was
added from outside DataPrivilege and another group that has
been recommended for removal.
An error has occurred.
File without access.
Folder is not managed.
29
Icon
Description
Non-managed protected folder.
Non-managed unique folder.
Folder without access.
Protected folder.
Unique folder without access.
Managed group.
Non-managed group
Enabled user.
Disabled user.
An error occurred during synchronization.
Request automatically approved.
Request cancelled.
Ethical wall.
Request is being executed.
Request to grant permission.
Request to revoke permission.
The request's status is Approved.
The request's status is Declined.
The request's status is Error or Expired.
The request is pending.
Information.
Operation cancelled.
Managed distribution group.
30
Getting Started
Icon
Description
Unmanaged distribution group.
Undetected folder.
Profile.
Logging Out
There is no need to log out of DataPrivilege. Simply close the Internet
browser.
31
4.
Data Ownership
Folder view
Authorizers view
To work with a data owner-related view:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Above the Search pane, click the link to switch to the required view.
Proprietary and Confidential of Varonis
33
If you select multiple folders, only the items common to the entire
selection are displayed.
34
Data Ownership
2. Expand the entities in the Display Name column to the position at which
you want to create the managed folder.
3. Click Add Folder.
The Add Managed Folder wizard is displayed, on the Select Folders
page.
4. Click the Browse button to select the required folders. You may
also paste folder names in UNC format (that is, \\ComputerName
\SharedFolder\Resource).
5. Click Add.
The folders are added to the grid in the lower pane.
Note: If you selected a folder located in a file server that is not yet
defined in DataPrivilege, the File Servers Definition dialog box is
displayed. Define the file server as necessary.
The grid enables you to continue defining folders. There is one set of
definitions for each folder.
6. For each folder, define the following as relevant:
Display path - This column shows the folder's path. Select the
Allow direct permissions option if you want to enable creating direct
permission requests on the folder.
35
7. Click Next.
The Select Authorizers page is displayed.
8. In the Authorizers column, click Add and search for the required
authorizers. You may select more than one.
The authorizers are added.
9. Click Next.
36
Data Ownership
Any local group belonging to the same domain as the file server whose
folder permissions are being set may be added to the folder.
Make Protected - If you select this option, the folder no longer inherits
permissions from its parent.
Copy Permissions - If you set the folder to Make Protected, select this
option to copy the parent folder's permissions to this folder.
Make Inherit - Select this option if you want the folder to inherit
permissions from its parent.
37
Note: These options are only visible if the ability to set protection and
inheritance is configured for owners and authorizers.
6. Click Next.
Your changes are saved and you are redirected to the operation
summary screen.
2. Expand the entities in the Display Name column to the position at which
you want to create the subfolder.
3. Click Create Folder.
The Create Folder page is displayed.
38
Data Ownership
4. In the Folder Name text box, type the name of the new subfolder.
5. In the New Permissions area, select permissions to be assigned to the
new subfolder.
Note: The Make Traverse Permissions option enables users who have
permissions to the subfolder but not its parent folders to navigate through
the file system to the subfolder.
6. In the Advanced area, define the following:
39
In the Select Users area, type the required users, using the <domain
name>\<user name> format.
To search for and add the required users, click the Browse button.
9. Click Add.
The users are added to the Display Name area.
40
Data Ownership
A user may be added to a local group only from domains trusted by the
domain in which the local group is defined (including its own domain).
A user may be added to a global group only from the same domain in
which the global group is defined.
The list of users is filtered according to these constraints. This means that
when users are added to global groups, only the users from the global
group's domain may be displayed.
When users are added to a local group only the users from the local group's
domain and trusted domains are shown.
41
Never
After - In the text box, select the number of days after which the
permission is to expire.
10.Click OK.
42
Data Ownership
A direct permission request is created for the specified users and groups.
Never
After - In the text box, select the number of days after which the
permission is to expire.
43
4. In the right pane, select the ACL to which you want to add the user.
5. In the right pane, click Add Member. The Create Permission Request
dialog box is displayed.
44
Data Ownership
Never
After - In the text box, select the number of days after which the
permission is to expire.
10.Click OK.
The selected users and groups are added to the group.
45
46
Data Ownership
Depending on the configuration for this setting, one or both of the following
reports can be generated:
2. In the Managed Folders pane, click the name of the managed folder
whose permissions you want to export.
3. In the right pane of the main workspace, select the Permissions tab. The
ACLs currently defined for the selected managed folder are displayed.
47
5. In the Select Users area, click the Browse button to locate the relevant
authorizers. You may select more than one.
6. Click Add.
The authorizers are added to the lower pane.
7. From the Authorizer Level dialog box, select the level of the new
authorizer. You may select any level you want for the authorizer.
8. Click OK twice to close the dialog boxes.
The new authorizer is displayed in the right pane.
Data Ownership
3. From the popup menu, select Authorizers. The Add Authorizer dialog
box is displayed, listing the authorizers who are currently defined for the
managed folder.
4. Click Add.
The Authorizer Details dialog box is displayed.
49
5. In the Select Users area, click the Browse button to locate the relevant
authorizers. You may select more than one.
6. Click Add.
The authorizers are added to the lower pane.
7. From the Authorizer Level dialog box, select the level of the new
authorizer. You may select any level you want for the authorizer.
8. Click OK twice to close the dialog boxes.
The new authorizer is displayed in the right pane.
50
Data Ownership
4. Click Add.
The Users Search dialog box is displayed.
51
5. In the Select Users area, click the Browse button to locate the relevant
owners. You may select more than one.
6. Click Add.
The owners are added to the lower pane.
7. Click OK twice to close the dialog boxes. The new owner is displayed in
the right pane.
52
Data Ownership
5. In the Rule Name field, type a name for the authorization rule to be
added.
6. Select or clear the Is Enabled checkbox to enable or disable the rule as
necessary.
7. In the Clauses area, define the expression the rule is to calculate.
a. Click Edit. The Rule Clauses dialog box is displayed.
b. From the drop-down boxes, select the required values to build the
clause.
Proprietary and Confidential of Varonis
53
54
Data Ownership
4. In the right pane, click Add. The Automatic Rule Details dialog box is
displayed.
5. In the Rule Name field, type a name for the automatic rule to be added.
The name must be unique.
6. Select or clear the Is Enabled checkbox to enable or disable the rule as
necessary.
7. In the Clauses area, define the expression the rule is to calculate.
a. Click Edit. The Rule Clauses dialog box is displayed.
55
b. From the drop-down boxes, select the required values to build the
clause.
c. To add a clause, click Add Clause. An additional row is displayed.
d. To remove an extraneous clause, click Remove. The extraneous
clause is removed.
e. When the expression is complete, click OK.
8. In the Request Operation Type area, select the operations that the rule
can carry out if all its criteria are met. The rule is only enforced if all the
clauses and the selected operation type match. Options are:
Grant - Set the rule to only grant permissions, not to revoke them.
Grant & Revoke - Set the rule to both grant and revoke permissions as
necessary.
Revoke - Set the rule to only revoke permissions, not to grant them.
Revoke All - Set the rule to revoke all memberships, including nested
memberships. This creates an ethical wall.
Never
After - In the text box, select the number of days after which the
permission is to expire.
11.In the Authorization area, set the rule to automatically approve or decline
requests as necessary.
12.Select or clear the Enforce Rule checkbox as necessary, to run the rule
at a predefined interval on all the users in Active Directory who meet the
rule's criteria. This option is disabled under the following conditions:
56
Data Ownership
4. Click OK.
4. From the Data From drop-down list, select the source of the data.
Options are:
History of differences
All
5. To set a specific range of dates whose history you want to view, set the
following:
From - Set the starting date and time for the required time period.
To - Set the ending date and time for the required time period.
57
4. To set a specific range of dates whose statistics you want to view, set the
following:
From - Set the starting date and time for the required time period.
To - Set the ending date and time for the required time period.
5. From the Type drop-down list, select the type of statistics you want to
view for the folder. Options are:
58
Activity By Date - This chart displays the activity for a folder or file on
the specified day. Use it to identify overall usage patterns, as well as
days with unusual activity that require further investigation. Access to
the folder, its subfolders and files is differentiated by color.
Data Ownership
6. Click Search.
The statistics are displayed.
7. From the Group By drop-down list, select the value by which you want to
group the statistics. Options are:
Daily
Weekly
Day of Week
Monthly
Quarterly
Yearly
59
60
Data Ownership
Select Location - From the drop-down list, select the location of the
folder to be added.
Display path - This column shows the folder's path. Select the
Allow direct permissions option if you want to enable creating direct
permission requests on the folder.
9. Click OK.
The folders are added to the selected authorizers.
10.In the Select Users area, click the Browse button to locate the relevant
authorizers. You may select more than one.
11.Click Add.
The authorizers are added to the lower pane.
12.Click Next.
13.When the summary is displayed, indicating success, click Finish.
61
Data Ownership
2. Above the Search pane, click the link to select the Authorizers view.
3. Use the Search pane to locate the relevant authorizers.
4. In the Folder Owner Authorizers pane, select one or more authorizers.
The folders under the responsibility of the selected authorizers are
displayed in the Managed Folders pane on the right. If you select more
than one authorizer, only the folders that are common to all the selected
authorizers are displayed.
5. Click the name of the managed folder to be removed from the
authorizer's responsibilities.
6. Click Remove.
The folders are removed.
Authorization Levels
With DataPrivilege, multiple levels of authorization can be defined to ensure
data and entity membership are protected. An authorizer can be assigned to
any authorization level, even if the preceding levels have not been defined.
63
64
5.
Group Ownership
Groups view
Authorizers view
To work with a data owner-related view:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Above the Search pane, click the link to switch to the required view.
If you select multiple groups, only the items common to the entire
selection are displayed.
65
66
Group Ownership
3. From the drop-down list, select the required search operator. Options are:
Begins with
Ends with
Contains
That is
4. In the blank field, type the required value to find the relevant group.
If you set the filter to Begins With, type the first few letters of the group
you are searching for.
5. Click Search.
A list of groups matching the search criteria is returned.
67
Never
After - In the text box, select the number of days after which the
permission is to expire.
9. Click OK.
The users are added to the group (since the membership request was
created by the group owner, it is automatically approved).
68
Group Ownership
Never
After - In the text box, select the number of days after which the
permission is to expire.
69
70
Group Ownership
4. In the Select Users area, click the Browse button to locate the relevant
authorizers. You may select more than one.
5. Click Add.
The authorizers are added to the lower pane.
6. From the Authorizer Level dialog box, select the level of the new
authorizer. You may select any level you want for the authorizer.
7. Click OK twice to close the dialog boxes.
The new authorizer is displayed in the right pane.
71
4. Click Add.
The Authorizer Details dialog box is displayed.
72
Group Ownership
5. In the Select Users area, click the Browse button to locate the relevant
authorizers. You may select more than one.
6. Click Add.
The authorizers are added to the lower pane.
7. From the Authorizer Level dialog box, select the level of the new
authorizer. You may select any level you want for the authorizer.
8. Click OK twice to close the dialog boxes.
The new authorizer is displayed in the right pane.
73
74
Group Ownership
5. In the Rule Name field, type a name for the authorization rule to be
added.
6. Select or clear the Is Enabled checkbox to enable or disable the rule as
necessary.
7. In the Clauses area, define the expression the rule is to calculate.
a. Click Edit. The Rule Clauses dialog box is displayed.
b. From the drop-down boxes, select the required values to build the
clause.
c. To add a clause, click Add Clause. An additional row is displayed.
d. To remove an extraneous clause, click Remove. The extraneous
clause is removed.
e. When the expression is complete, click OK.
8. In the Authorizers area, click Add. The User Search dialog box is
displayed.
9. Search for the authorizers to be added.
75
2. Above the Search pane, click the link to select the Groups view.
3. Select the check box of the rule to be removed.
4. Click Remove.
The authorization rule is removed from the managed group.
4. In the right pane, click Add. The Automatic Rule Details dialog box is
displayed.
76
Group Ownership
5. In the Rule Name field, type a name for the automatic rule to be added.
The name must be unique.
6. Select or clear the Is Enabled checkbox to enable or disable the rule as
necessary.
7. In the Clauses area, define the expression the rule is to calculate.
a. Click Edit. The Rule Clauses dialog box is displayed.
b. From the drop-down boxes, select the required values to build the
clause.
c. To add a clause, click Add Clause. An additional row is displayed.
d. To remove an extraneous clause, click Remove. The extraneous
clause is removed.
e. When the expression is complete, click OK.
8. In the Request Operation Type area, select the operations that the rule
can carry out if all its criteria are met. The rule is only enforced if all the
clauses and the selected operation type match. Options are:
Grant - Set the rule to only grant permissions, not to revoke them.
Grant & Revoke - Set the rule to both grant and revoke permissions as
necessary.
Revoke - Set the rule to only revoke permissions, not to grant them.
Revoke All - Set the rule to revoke all memberships, including nested
memberships. This creates an ethical wall.
9. In the Expiration Date area, set the date on which the permission is to
expire. Options are:
Never
After - In the text box, select the number of days after which the
permission is to expire.
10.In the Authorization area, set the rule to automatically approve or decline
requests as necessary.
77
11.Select or clear the Enforce Rule checkbox as necessary, to run the rule
at a predefined interval on all the users in Active Directory who meet the
rules criteria. This option is disabled under the following conditions:
78
Group Ownership
4. From the Data From drop-down list, select the source of the data.
Options are:
History of differences
All
5. To set a specific range of dates whose history you want to view, set the
following:
From - Set the starting date and time for the required time period.
To - Set the ending date and time for the required time period.
79
4. To set a specific range of dates for which you want to view statistics, set
the following:
From - Set the starting date and time for the required time period.
To - Set the ending date and time for the required time period.
5. From the Type drop-down list, select the type of statistics you want to
view for the group. Options are:
Activity By Date - This chart for users and groups displays the activity
for a given user or group per day. Use this chart to identify overall
usage patterns, as well as days with unusual activity that require
further investigation. Access to the folder, its subfolders and files is
differentiated by color.
6. Click Search.
80
Group Ownership
7. From the Group By drop-down list, select the value by which you want to
group the statistics. Options are:
Daily
Weekly
Day of Week
Monthly
Quarterly
Yearly
81
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Above the Search pane, click the link to select the Authorizers view.
3. Use the Search pane to locate the relevant authorizers.
4. Select the relevant authorizers.
The groups under the responsibility of the selected authorizers are
displayed.
82
Group Ownership
Authorization Levels
With DataPrivilege, multiple levels of authorization can be defined to ensure
data and entity membership are protected. An authorizer can be assigned to
any authorization level, even if the preceding levels have not been defined.
83
84
6.
Administration
Administrators are IT specialists. They are responsible for defining and
managing the definitions of the following:
Other administrators
Locations
Base folders
Configuring DataPrivilege
Note:
In addition, administrators may have access to the management screens
if the Allow administrators to view and edit management screens setting is
defined under Application Settings > General .
Managing Groups
Administrators may define and manage logical "locations" for groups, define
groups as managed, add group owners to groups, edit their definitions, and
remove them from their groups.
While user groups must exist in Active Directory, not all groups are managed
by DataPrivilege.
When you add a managed group to your system, the group is created in the
local domain. However, it may contain users from other domains as well as
the current domain.
When you add an existing group from outside DataPrivilege, it may be a
local group, a global group or a universal group.
DataPrivilege also supports the management of local users and groups.
Note: This feature is disabled by default and can be enabled when adding
a file server or defining credentials for file servers and root folders. For more
information, see Adding File Servers or Defining Credentials for File Servers
and Root Folders. If enabled, the local host on which the file server resides
becomes a monitored domain.
85
Groups view
Owners view
To work with a group-related view:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.
If you select multiple groups, only the owners common to all the
selected groups are displayed.
Choose the Show Only Selected option to view only the selected
groups and their owners.
If you select multiple owners, only the groups common to all the
selected owners are displayed.
Choose the Selected Only option to view only the selected owners
and their groups.
86
Administration
Begins with
Ends with
Contains
That is
5. In the blank field, type the required value to find the relevant group.
If you set the filter to Begins With, type the first few letters of the group
you are searching for.
6. Click Search.
A list of groups matching the search criteria is returned.
87
3. From the Select Location drop-down box, select the location to which the
required groups belong.
4. In the Select Groups area, click the Browse button to locate the relevant
groups. You may select more than one.
5. Click Add.
The groups are added to the lower pane.
88
Administration
8. In the Select Owners area, click the Browse button to locate the relevant
owners. You may select more than one.
9. Click Add.
The owners are added to the lower pane.
89
2. In the Groups pane, select the relevant groups. You may select more
than one.
3. Click Edit Group.
90
Administration
Location - From the drop-down list, select the location to which all the
groups belong
5. To remove groups from the list, select the checkboxes of the relevant
groups and click Remove.
6. Click OK.
91
2. In the Groups pane, select the relevant groups. You may select more
than one.
3. Click Reset Group.
A confirmation message is displayed.
4. Click OK.
92
Administration
93
Alias - Type a short name for the location, to be used in the default
naming convention for group names.
5. Click OK.
The location is added below the selected location. If no location is
selected, it is added under the root. By default, the location is added
under the root.
94
Administration
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.
3. Select the locations to be moved. You may select more than one.
95
4. Click Move.
The Move Location dialog box is displayed.
Move items to the following location - From the drop-down list, expand
the hierarchy to select a new position for the chosen items
6. Click OK.
The selected locations are moved.
96
Administration
3. Select the locations to be removed. You may select more than one.
4. Click Remove.
The locations are removed.
97
2. If the group for which you want to define an owner is not listed, do one of
the following to search for the relevant group (if it is listed, skip to the next
step):
a. Use the Search pane.
b. Click Add in the Groups pane to access the Group Search dialog box.
Use this option to define the owner's authorization level.
3. In the Groups pane, select the name of the group for which you want
to define an owner. Alternatively, right-click the name of the group and
select Owners from the popup menu.
The group's existing owners are displayed in the Group Owners pane
(they are displayed in a new window if you used the popup menu).
4. In the Group Owners pane, click Add. The Add Groups and Owners
wizard is displayed.
5. Search for the user you want to add as an owner.
6. Click OK to close the dialog boxes. The new group owner is displayed in
the Group Owners pane.
98
Administration
2. In the Group Owners pane, select the owner to which you want to add
groups. You may select more than one. The groups belonging to the
selected owners are displayed in the right pane (if you selected multiple
owners, only the groups common to all are displayed).
3. In the Managed Groups pane, click Add. The Groups Search dialog box
is displayed.
4. Search for the relevant groups.
The groups are added to the Managed Groups pane.
3. Click OK.
Several groups are used to manage a folder, and one of the groups does
not have an owner. Unless the bypass option is set, users cannot request
permissions of the type this group represents.
Proprietary and Confidential of Varonis
99
100
Administration
4. Click OK.
101
2. If the group for which you want to define an owner is not listed, do one of
the following to search for the relevant group (if it is listed, skip to the next
step):
a. Use the Search pane.
b. Click Add in the Groups pane to access the Group Search dialog box.
Use this option to define the owner's authorization level.
3. In the Managed Groups pane, right-click the name of the group and
select Authorizers from the popup menu.
The group's existing authorizers are displayed in the Add Authorizer
dialog box.
4. Click Add.
The User Details dialog box is displayed.
102
Administration
103
Base folders are storage folders that are managed by one or more data
owners. Base folders contain managed folders.
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
If you select multiple base folders, only the owners common to all
the selected folders are displayed.
Choose the Selected Only option to view only the selected base
folders and their owners.
If you select multiple owners, only the base folders common to all
the selected owners are displayed.
Choose the Selected Only option to view only the selected owners
and their base folders.
104
Administration
Alias - Type a short name for the location, to be used in the default
naming convention for group names.
4. Click OK.
The new location is added below the selected location. If no location
is selected, it is added under the root. By default, the location is added
under the root.
Proprietary and Confidential of Varonis
105
4. From the Select Location drop-down list, select the location in which you
want to create the folder.
5. To select the required folders:
a. Click the Browse button next to the Select Folders field. The Select
Base Folders dialog box is displayed.
106
Administration
b. At the top of the dialog box, select the type of search to be performed.
Options are:
Exact Path Search - Select to search the file system for folders
under the exact path appearing in the Search text box.
c. From the filter drop-down list, select the relevant search filter.
d. In the blank field, type (or paste) the path or file server specified by the
search filter.
e. Click Search.
f. Select the checkboxes of the folders to be added as base folders.
g. Click OK.
The base folder is added and the Select Base Folders dialog box is
closed.
6. In the Add Base Folder wizard, click Add.
The folders are added to the grid in the lower pane.
Note: If you selected a folder located in a file server that is not yet
defined in DataPrivilege, the File Servers Definition dialog box is
displayed. Define the file server as necessary.
107
The grid enables you to continue defining folders. There is one set of
definitions for each folder.
7. For each folder, define the following as relevant:
Display path - This column shows the folder's path. Select the
Allow direct permissions option if you want to enable creating direct
permission requests on the folder.
8. Click Next.
The Select Data Owners page is displayed.
108
Administration
9. In the Owners column, click Add and search for the required owners. You
may select more than one.
10.In the Authorizers column, click Add and search for the required
authorizers. You may select more than one.
The owners and authorizers are added.
109
11.Click Next.
12.When the summary is displayed, indicating success, click Finish.
110
Administration
Make Protected - If you select this option, the folder no longer inherits
permissions from its parent.
Copy Permissions - If you set the folder to Make Protected, select this
option to copy the parent folder's permissions to this folder. If you do
not select this option, then only the unique permissions remain on the
folder.
6. Click OK.
111
Select Location - From the drop-down list, select the location in which
you want to create the folder.
4. Click Add.
If you have selected a folder located on a file server that is not yet
defined in DataPrivilege, the File Servers Definition dialog box is
displayed.
112
Administration
User Name
Password
6. Click OK.
The file server is defined in DataPrivilege.
113
4. From the drop-down list, select the location to which you want to move
the base folder.
5. Click OK.
114
Administration
115
2. Select either the Folder Scheduling tab or the Group Scheduling tab as
necessary.
3. Click Add.
The Entitlement Review Details window is displayed.
116
Administration
For folders:
Folders
Owners
Domains
Locations
File Servers
For groups:
Groups
Owners
Domains
Locations
OUs
b. From the drop-down boxes, select the required values to build the
clause.
c. Click Add to add additional clauses to that filter type as necessary.
Clauses are added with an OR relationship.
117
7. On the Scheduling tab, define a schedule according to which the rule will
run and create entitlement review requests.
a. In the Schedule Details area, set the time interval at which the request
is to be sent.
b. In the Start and End Dates area, specify the date on which the
schedule is to begin, and optionally, to end.
c. Click Save.
8. To view the entities that will be returned by the rule, click Calculate.
The Calculation Results window is displayed.
118
Administration
3. In the Default Behavior area, set the default behavior for all objects in the
system. Options are:
Enable recommendations
Require review
119
b. To add a group to the exceptions list, click Add Group and search for
the required group.
c. To add a folder to the exceptions lists, click Add Folder and search
for the required folder.
d. Select the preferred number of rows to be displayed from the No. of
Rows drop-down list.
e. To export the list of exceptions to a CSV file, click Export and save
the file as required.
f. To import a saved list of exceptions from a CSV file, click Import and
select the required file. The file must have the following structure:
ObjectName,EnableRecommendations,RequireReview,
EnableRequestsFromOtherOwners
6. In the Reset External Change Indicators area, click the button to reset the
indication on objects that were added outside DataPrivilege.
Objects that are added as managed after the data is reset are marked
as Added outside DataPrivilege.
7. In the Signing Method area, select the type of signature each owner must
provide for the entitlement reviews he or she performs:
8. In the Default View Options area, select the following options as relevant:
Hide objects that cannot be changed - This option hides all rows that
cannot be changed (i.e., objects that are disabled) in the entitlement
review.
9. Click Save.
120
Administration
Note: You can also view and cancel pending entitlement review requests
by using the Simple or Advanced Search.
2.
3. Click OK.
The pending entitlement review request is cancelled.
121
7.
Advanced Administration
Advanced administration of DataPrivilege includes the following tasks:
Configuring domains
123
124
Advanced Administration
5. From the User Roles area, select the role to which you want to add the
user or group. Options are:
System Administrator
Allow Assigning New User Roles - Check this box to allow the
System Administrator to assign new System Adminstrators or Floor
Support and new data and group owners. If this box is clear, then
the System Administrator will not have the ability to manage roles
and will not see the Advanced Administration > User Roles
pane.
Floor Support
6. Click OK.
2.
Click the
edit.
icon next to the name of the user whose role you want to
125
3. Edit as necessary.
4. Click OK.
Advanced Administration
Creating custom masks and flags for permission types that are created
outside DataPrivilege
2. Click the name of the permission type, or click its information icon.
The Permission Type Details dialog box is displayed.
3. In the Permission Type Name field, edit the name of the permission type
as relevant.
4. In the Alias field, type a short name to be used for the permission type
when it is used in a new permission on a base or managed folder.
5. Select the following options as necessary:
127
6. Click OK.
Defining a mask
1. From the left menu bar, select Advanced Administration > Permission
Types to go to the Permission Types pane.
2. Click Add.
The Permission Type Details dialog box is displayed.
128
Advanced Administration
3. In the Permission Type Name field, edit the name of the permission type
as relevant.
4. In the Alias field, type a short name for the permission type when it is
used in a new permission on a base or managed folder.
5. Do one of the following to set the mask:
4. Type this value in the Mask value field of the Permission Type
dialog box.
129
8. Click OK.
The customized permission type is added to the Permission Types list.
130
Advanced Administration
2. Click Scan.
The Domain Synchronization dialog box is displayed.
131
132
Password
If this user has the same credentials as the Active Directory search
user, select the Same as searcher credentials checkbox.
Advanced Administration
4. Click OK.
The Domain Synchronization dialog box is displayed again.
133
Monitoring Domains
Administrators can select a subset of the trusted domains to be managed by
DataPrivilege.
Note: If required, unmonitored domains can be synchronized with
DatAdvantage. Set Synchronize unmonitored domains under Application
Settings > Domain .
To monitor domains:
1. From the left menu bar, select Advanced Administration > Domain
Configuration to go to the Domains pane.
2. In the Domains pane, locate the relevant domain.
3. Click its information icon.
The Domain Details dialog box is displayed.
4. Select the Is Monitored checkbox.
5. Click OK.
The domain is set to be monitored by DataPrivilege.
134
Advanced Administration
Disabling Domains
If a domain resides in the database but is not set to be monitored by
DataPrivilege, it is disabled. Disabled domains cannot be the target of
requests or any other operation.
To disable a domain:
1. From the left menu bar, select Advanced Administration > Domain
Configuration to go to the Domains pane.
2. In the Domains pane, locate the relevant domain.
3. Click its information icon.
The Domain Details dialog box is displayed.
4. Clear the Is Monitored checkbox.
5. Click OK.
This pane provides the following information for each file server:
Proprietary and Confidential of Varonis
135
Host Name - The name of the machine on which the file server
resides.
User Name - The name of the user having permissions on the file
server to search for folders and modify their permissions.
Domain Name - The name of the domain in which the file server
resides.
Commit Host - The name of the Commit engine defined for the file
server.
Note: For better performance, DataPrivilege enables the definition of
multiple Commit engines. See IDU Suite Installation Guide.
2. In the Search box, enter all or part of the host name you want to search
for.
3. Click Search, or select the required host from the list of results.
2. Click Add.
The File Server Details dialog box is displayed.
136
Advanced Administration
Select Host Name - Click the Browse button to select the name of the
host on which the relevant file server resides.
User Name - Type the name of the relevant user account, in the
format domain\user name.
Commit Host - From the drop-down list, select the name of the commit
host you want to define for the file server.
4. Click OK.
137
3. Click the name of the file server or root folder, or click its information icon.
The File Server Details dialog box is displayed.
4. Define the following attributes for the file server or root folder:
User Name - Type the name of the relevant user account, in the
format domain\user name.
Commit Host - From the drop-down list, select the name of the commit
host you want to define for the file server.
5. Click OK.
138
Advanced Administration
The migration will delete any existing metadata on the target file server.
The source and target file servers must be within the same domain.
Folders that are defined in DataPrivilege on the source file server must
be defined on the target file server. Otherwise they will be marked as
deleted.
139
4. Click the name of the file server or root folder, or click its information icon.
5. Define the following attributes for the file server migration path:
In the To field, click the Browse button to select the host/folder name
to which you want to migrate the source file server.
From the drop-down list, select the name of the Commit Host you
want to define for the target file server.
Select the checkbox to confirm that the file servers have identical
schemes.
6. Click OK.
The file server table is updated with the name of the target file server.
140
Advanced Administration
141
142
8.
Authorization
Authorizers are responsible for approving or declining requests assigned to
them by the various types of owners. In addition, authorizers who possess
certain owner privileges can perform the following tasks:
143
Note: If the Allow Requesting Direct Permissions option is not set for
the folder, this dialog box does not display the Membership to and Direct
options (see Adding Base Folders).
4. Set the expiration date of the requested permission as relevant:
Never
After - In the text box, select the number of days after which the
permission is to expire.
Approve
Decline
144
Authorization
145
146
Authorization
3. If the request is still pending, you may edit its expiration date. In the
Expiration Date area, set the relevant date. Options are:
Never
After - In the text box, select the number of days after which the
permission is to expire.
2. In the Reqests waiting for my approval section, select the check boxes of
the requests you want to handle.
3. Click Approve/Decline.
The Pending Request Selection dialog box is displayed.
147
148
Authorization
In Simple mode, this dialog box provides the following information about
the users and groups that are related to the folder:
User - Users and groups having a relation to the folder. (If any group
in this list is managed, it appears with an underline. Click the group
name to open a dialog box with an entitlement review request for that
group.)
149
3. To review only objects that have changed since your last review, select
this option at the top of the dialog box.
4. Review the details of each relation.
5. For each relation, select Keep or Remove. If you choose to remove the
relation, you must enter an explanation in the Explanation field.
6. In the Reason field, enter a reason for the entitlement review.
7. If you approve, sign the entitlement review according to the signature
method that is provided, and click Sign.
150
Authorization
3. Click Advanced.
The Advanced dialog box is displayed.
151
View - The focus of the content displayed in the dialog box. Options
are:
User - The names of the users having a relation with the folder.
4. To review only objects that have changed since your last review, select
this option at the top of the dialog box.
152
Authorization
Never
After - In the text box, select the number of days after which the
permission is to expire.
153
In Simple mode, this dialog box provides the following information about
the users and groups that are related to the group:
154
User - Users and groups having a relation to the group. (If any group
in this list is managed, it appears with an underline. Click the group
name to open a dialog box with an entitlement review request for that
group.)
Authorization
3. To review only objects that have changed since your last review, select
this option at the top of the dialog box.
4. Review the details of each relation.
5. For each relation, select Keep or Remove. If you choose to remove the
relation, you must enter an explanation in the Explanation field.
6. In the Reason field, enter a reason for the entitlement review.
7. If you approve, sign the entitlement review according to the signature
method that is provided, and click Sign.
155
3. Click Advanced.
The Advanced dialog box is displayed.
156
Authorization
View - The focus of the content displayed in the dialog box. Options
are:
User - The names of the users having a relation with the group.
First level relations - Select to view the users and groups having
a direct relation to the group (that is, without being a member of
a subgroup). In addition to the other fields described below, this
view displays the following information:
157
4. To review only objects that have changed since your last review, select
this option at the top of the dialog box.
5. Review the details of each relation.
6. For each relation, select Keep or Remove. If you choose to remove the
relation, you must enter an explanation in the Explanation field.
7. In the Reason field, enter a reason for the entitlement review.
8. If you approve, sign the entitlement review according to the signature
method that is provided, and click Sign.
Never
After - In the text box, select the number of days after which the
permission is to expire.
158
9.
Requests and Floor Support
Activities
Regular users use DataPrivilege to:
Floor Support personnel can view all requests whose status is Pending.
Creating Requests
DataPrivilege enables creating the following types of requests:
159
2. In the Users area, make sure the request is being made for the correct
users. If it is not, click the Change Users button to select the required
users. The selected users are displayed in the Users area.
3. To locate the folders for which the request is being made:
a. In the Folders area, click the Browse button to select the folder for
which permission is being requested (you may select more than one).
The Select Folders dialog box is displayed.
b. Search for the required folder or type its name in the Folders field.
c. Click Add.
The folders are added and displayed in the Operations area.
4. To define the required permissions for the folders:
a. In the Operations area, select the operation required for each folder
from the Available Operations drop-down list.
Note: When only one user is selected, effective permissions are
calculated and only relevant options are displayed in the Available
160
Never
After - In the text box, select the number of days after which the
permission is to expire.
7. Click Finish.
The request is created and one of the following occurs:
If a request was made for multiple users, a list of users included in the
request is displayed. When a name is clicked, a summary for that user
is displayed.
161
3. In the Users field, make sure the request is being made for the correct
users and groups. If it is not, click the Change Users/Groups button to
select the required users and groups.
The selected users are displayed in the Users area. When one or more
of the users has a manager defined in the Active Directory, the relevant
users' managers are displayed.
162
c. Click Add.
The groups are added and displayed in the Operations area.
5. To define the required permissions for the groups:
a. In the Operations area, select the operation required for each group
from the Available Operations drop-down list.
Note: When only one user is selected, effective permissions are
calculated and only relevant options are displayed in the Available
Operations drop-down list. However, if multiple users are selected all
operations are displayed.
163
b. To remove a group from the request, select its checkbox and click
Remove.
Never
After - In the text box, select the number of days after which the
permission is to expire.
8. Click Finish.
The request is created and one of the following occurs:
If a request was made for multiple users, a list of users included in the
request is displayed. When a name is clicked, a summary for that user
is displayed.
164
2. To send an email to the user who made the request, or the user for whom
the request was made, click the user's name in the relevant column
(Requested By or Requested For).
3. Click the information icon for the relevant request.
The request's details are displayed.
165
4. If the request is still pending, you may edit its expiration date. In the
Expiration Date area, set the relevant date. Options are:
166
Never
After - In the text box, select the number of days after which the
permission is to expire.
10.
Reports
DataPrivilege enables you to generate a number of reports, regarding
administration, permission requests, synchronization, entitlement, and more.
2. In the Report List pane, expand the tree to select the relevant report.
3. Configure and schedule the report as required.
4. Click Run.
The report is displayed in the Report View.
167
3. From the drop-down boxes, select the required values to build the search
condition.
a. From the AND/OR drop-down list, select the function you want to
define the relationship between the conditions.
b. To remove an extraneous condition, select the check box of the
relevant row and click Remove.
The extraneous condition is removed.
c. To clear the Filter pane, click Clear.
Note: The Filter Type list is dynamic and the available options
depend on the type of report you select.
4. To run the report, click Run.
168
Reports
3. From the drop-down list, select the required value to build the grouping
condition.
Note: The Group list is dynamic and the available options depend on the
type of report you select.
4. To remove an extraneous condition, select the checkbox of the relevant
row and click Remove.
The extraneous condition is removed.
5. To clear the filter area, click Clear.
6. To run the report, click Run.
3. From the first drop-down list, select the field by which you want to sort the
search results.
4. From the drop-down boxes, select the required values to build the sort
condition.
Note: In the Reports view, the Sort option is only available for certain
reports.
5. From the second drop-down list, select the sort order.
169
2. From the Available Attributes list, select the extended attributes you want
to use to retrieve report data.
Use the right and left arrow buttons to move attributes to and from the
Selected Attributes list.
Use the up and down arrows to change the order in which attributes
are displayed in the report.
170
Reports
171
Delivered by - From the drop-down list, select the entity to deliver the
report. Options are:
Reply To - Type the email address of the user sending the report.
Include report
172
Reports
Priority - From the drop-down list, select the relevant delivery priority.
Hour
Day
Week
173
Option
Month
Once
Start and end dates - Click the calendars to select the starting and
ending dates for the schedule you defined (you are not required to set
an ending date).
9. Click OK.
The schedule and subscription are complete.
174
Reports
2. Define the filtering, grouping, sorting options and extended attributes for
the report.
3. Click Schedule.
The Report Subscription dialog box opens. The filtering, grouping and
sorting options that are already defined for the report are displayed in the
Subscr. Filters tab.
175
Send report, even if empty - By default, reports are only sent if they
actually contain data (that is, events actually occurred during the
defined timeframe). Select this checkbox to send reports even if they
do not contain data.
Select Owners/Authorizers - If you did not select the All owners option,
select the specific owners or authorizers to whom you want to send
the report subscription.
Include Report
176
Reports
Hour
Day
Week
Month
177
Option
Once
Start and end dates - Click the calendars to select the starting and
ending dates for the schedule you defined (you are not required to set
an ending date).
9. Click OK.
11.
Searching
The following subsections provide instructions for searching for users,
permission requests and authorizations, and folders.
Adding administrators
Making requests
Generating reports
179
3. From the Select Domain drop-down list, select the domain in which to
perform the search.
4. From the first drop-down list, select the first search filter.
Note: The options appearing in this filter can be configured by Varonis
System Engineers.
5. From the second drop-down list, select the second search filter. Options
are:
Begins with
Ends with
Contains
That is
6. In the blank field, type the value specified by the first two search filters.
If you set the first two filters to User Name and Begins With, type the first
few letters of the user you are searching for.
7. Click Search.
A list of users matching the search criteria is returned.
180
Searching
8. Select the checkbox of the user to be added in the activity you are
currently performing.
9. Click OK.
The user is added.
Making requests
Generating reports
181
182
Searching
Begins with
Ends with
Contains
That is
6. In the blank field, type the required value to find the relevant group.
If you set the filter to Begins With, type the first few letters of the group
you are searching for.
7. Click Search.
A list of groups matching the search criteria is returned.
8. Select the checkbox of the group to be added in the activity you are
currently performing.
9. Click OK.
The group is added.
1. In the Search pane for the relevant activity, click the browse button next
to the For Folder or By Folder field.
The Select Folder dialog box is displayed.
183
184
Searching
Request Type - From the drop-down list, select the type of request
for which you are searching. Options are:
All
Membership Requests
Permission Requests
Folder
Weekly
Monthly
Expired
4. Click Search.
The requests that meet the specified criteria are displayed in the
Standard Search pane.
5. To view the details of a specific request in the report, click the information
icon for the request.
The Request Details dialog box is displayed.
6. To export the report to a Microsoft Excel spreadsheet, click Export.
7. To print the report, click Print.
185
2. From the Select Domain drop-down list, select the domain in which to
search for the relevant file server.
3. From the first drop-down list, select the first search filter. Options are:
Begins with
Ends with
Contains
That is
4. In the blank field, type the value specified by the first search filter.
If you set the first filter to "Begins With", type the first few letters of the file
server you are searching for.
5. Click Search.
A list of file servers matching the search criteria is returned.
186
Searching
6. Expand the Folder Name tree to locate the relevant file server.
7. Click OK.
The file server is added.
187
2. In the Select one or more organizational units pane, click the Browse
button.
The Search Organizational Unit dialog box is displayed.
188
Searching
189
5. Select the check boxes of the OUs to be added to the location and click
OK.
6. In the main Search dialog box, click Add.
The OUs are added to the bottom pane.
7. Click OK.
Advanced Searching
DataPrivilege's advanced search capabilities enable you to specify a wide
range of search criteria. The available criteria change depending on the type
of search you want to perform.
To set advanced search criteria:
1. From the left menu bar, select Search.
The Search submenu is expanded.
2. From the submenu, select Adv. Search.
The Search Filter pane is displayed in the main workspace.
190
Searching
3. In the Search Filter pane, set one or more of the following criteria for the
request for which you are searching:
Request by - Click the relevant browse button and search for the user
or group who made the request. The relevant entity is displayed in the
Request By field.
Created for - Click the relevant browse button and search for the user
or group who made the request. The relevant entity is displayed in the
Request For field.
Request Type - From the drop-down list, select the type of request for
which you are searching. Options are:
All
Entitlement Review
Direct Permission
Permission
Folder
Membership
Request Operation Type - From the drop-down list, select the type of
operation for which you are searching. Options are:
All
Grant
Revoke
Approve
Create
Start Date - Click the calendar to select the date on which the
permission related to the request is to start.
End Date - Click the calendar to select the date on which the
permission related to the request is to expire.
4. Click Search.
All requests that match the defined search criteria are displayed in the
Advanced Search pane.
191
12.
Home
FAQ
Help
Contact Us
193
13.
Configuration
This chapter provides instructions for configuring DataPrivilege to work with
Active Directory, and configuring general application settings.
User schema
Group schema
195
AD property type - From the drop-down list, select the property's type.
Options are:
String
Multi-value - If you select this option, use the bottom part of the
dialog box to define valid values.
Use AD property for - From the drop-down list, select the type of
object for which the property is relevant. Options are:
User
Group
4. Set the options that define the property's visibility and usage:
196
Define AD property value visibility - Select this option to select all the
visibility options
Configuration
5. If you set the property's type to Multi-value, set its valid values as follows:
a. In the bottom part of the dialog box, click Add.
The Property Values Details dialog box is displayed.
Sort Order - Type the number representing the order in which the
value is to be sorted.
c. Click OK.
The valid value is displayed in the bottom pane of the dialog box.
197
198
Configuration
2. In the Categories list, select the category of fields whose values you want
to edit.
The fields are displayed in the Fields pane, along with their currently
defined values. An asterisk (*) indicates changed values in all keys
required to restart the scheduler service.
3. Click the information icon for the field you want to edit.
The field's currently defined value is displayed in the Fields pane.
Description
Default Value
False
199
Field
Description
Default Value
By default, set
existing Active
Directory groups to
Bypass
False
Enable users to
By default, it is not possible to delete a logical location
delete locations that that contains groups. Set this option to True to enable
have groups in them deleting these locations.
Default location for
groups
Audit level
for nightly
synchronization
(according to
Revoke requests)
False
Determine whether
groups can
be searched
by domains or
locations
Both Domains
and Locations
True
On the
Administration >
Groups screen,
show unmanaged
groups by default
False
Synchronize group
owners with Active
Directory
False
False
200
Configuration
Field
Description
Default Value
Authentication
The following settings are available in the Authentication category:
Field
Description
Default Value
Use resource
users' identities
exactly as entered
for the domain's
impersonation user
True
Description
Default Value
Allow authorizers to
modify authorizer
list
False
Allow directory
owners to add
members to
permitted groups, or
remove them
True
Allow administrators
and owners to
create new folders
Both
True
* Allow top-level
authorizers to
approve entitlement
review requests
False
201
Field
Description
Default Value
* Allow authorizers
to manage
permissions on
managed folders
False
True
Allow owners to
make a folder
protected or
inherited
False
Enable SYSADMIN
operations (add/
remove folders
and manage
permissions)
for owners and
authorizers
If set to False:
True
Allow adding a
group to a group
True
Next proposed
authorization level
for new authorizer
Max level
202
First level
Configuration
Field
Description
Default Value
None
None
Note: If selected, the Export Permissions option
on the main Permissions pane is not visible.
Number of
managed folders
displayed on a page
User-level permissions
Both
Show direct
permission request
buttons for folder
authorizers
True
Domains
The following settings are available in the Domains category:
Field
Description
Default Value
Determine how
locations are
matched to users
None
Active Directory
property that
determines the
relevant location
203
Field
Description
Default Value
Display locations
according to
Requestee's
locations
Synchronize
unmonitored
domains
False
False
Entitlement Review
The following settings are available in the Entitlement Review category:
Field
Description
Default Value
Default view
Simple
False
Require
confirmation for
entitlement reviews
True
Enable switching
from Simple mode
to Advanced mode
on the request
screen
True
Exclude owners
from the list of
authorizers in
entitlement reviews
False
Entitlement review
signing option
User password
User password
Verify
Entitlement review
confirmation, up to
140 characters
I confirm that I
have reviewed
the objects listed
above, along with
their content.
204
Configuration
Field
Description
Default Value
False
Receive
recommendations
from IDU Analytics
True
Require entitlement
review for all
managed objects
True
Description
Default Value
Allow expanding
locations and
folders that do not
contain managed
subfolders
False
Allow users to
request direct
permissions
Default value
(IsBypasData) for
created groups
True
Remove unique
permissions when
a folder is set to
Inherited
True
Enable emulation of
direct permissions
on folders, to
groups which are
members in the
directly permitted
groups
False
205
Field
Description
groups will be
emulated with
direct permissions
on folders (level
1 means direct
members of the
directly permitted
groups; groups at
other levels won't
be emulated with
direct permissions
on folders
Number of FileWalk
threads
Set naming
convention for
group names
By folder and
permission ID
206
Default Value
Local Group
dp
Configuration
Field
Description
Default Value
Remove folders
from DataPrivilege
that were not found
in the last nightly
synchronization
Automatically select
the Traverse option
on managed folders
True
Do not allow
Grant traverse
permissions to
folders up to the
share level
False
False
False
General
The following settings are available in the General category:
207
Field
Description
Default Value
Allow administrators
to view all requests
on the Summary
screen
True
* Allow locations
to be deleted even
if they have base
folders
False
View only
False
Default page
Home
Default search
expression
Begins with
Allow approving or
declining a request
without providing an
explanation
False
Expand or collapse
Advanced pane in
requests
Collapse
CSV
Default number of
Determine the default number of rows displayed on
rows displayed on
pages containing tabular information. To ignore this
pages (0=ignore this setting, set it to 0.
setting)
Show license
information only to
administrators
True
Maximum number
of lines returned by
the auto-complete
search
20
208
Configuration
Field
Description
Default Value
Number of
users allowed in
permission requests
10
Number of users
allowed in group
membership
requests
10
Height of the printed Set the height of the printed page, in pixels (excluding
page in pixels
printed reports).
(excluding printed
reports)
864
Active Directory
property used for
displaying images
Image
Display table
headers in tooltips
False
Disable Website
(this setting will take
effect 1 minute after
it is set)
False
Default number of
days from the start
date to the end date
in the date filter
used in searches
30
False
Default search
mode for users &
groups
Database
False
864
Mail
The following settings are available in the Mail category:
209
Field
Description
Default Value
Number of attempts
to send email
Distribution list
(semicolondelimited) of
additional email
recipients for
DataPrivilege
messages
* Number of emails
that can be sent in
bulk
* SMTP password
Support recipient's
email address
* SMTP address
* SMTP port
25
False
*SMTP user
* "From" email
address for email
sent by Varonis
* "From" name
for email sent by
Varonis
* Account for
processed email
210
100
False
120 days
Configuration
Field
Description
Default Value
* Maximum number
of emails to process
at once
20
* Account password
for processed email
* Protocol for
processed email
* Server for
processed email
* Use SSL
encryption for email
False
False
POP3
Properties to Bind
The following settings are available in the Properties to Bind category:
Field
Description
Default Value
* Active Directory
property for display
name of users and
groups
cn
Active Directory
welcome property
cn
Select the AD
property from
which users' email
addresses are
retrieved.
Active Directory
property used for
displaying images
Image
Remote Services
The following settings are available in the Remote Services category:
Field
Description
Default Value
211
Reports
The following settings are available in the Reports category:
Field
Description
Default Value
Maximum visible
entities in bar chart
report
20
Default number
of days from the
start to end dates
displayed in the
Request Date filter
30
Number of rows
after which results
are exported to a
CSV file
1000000
False
Directory of CSV
reporting created
files
Description
Default
Value
Enable searching
by owner in the
membership
request wizard
False
Enable searching
by owner in the
permission request
wizard
False
Method of
determining when
a request expires.
Absolute = Use
request creation
ABSOLUTE
212
Configuration
Field
Description
Default
Value
Include default
text in the Request
Reason area for
requests created
by the Enforce Rule
option
True
Enable
management
authorization
False
The ADProperties
column containing
the manager value
Manager
The ADProperties
column to which the
manager value is
compared
distinguishedName
Allow owner
to authorize
requests pending
to requestee's
manager
True
Description
Default Value
Directory statistics,
"Activity by Date"
- Maximum visible
records
500
Directory
statistics, "Inactive
Directories" Maximum visible
records
500
213
Field
Description
Default Value
Directory statistics,
Set the maximum number of visible records for Least
"Least Active Users" Active Users statistics on directories.
- Maximum visible
records
500
Directory statistics,
"Subdirectory
Statistics" Maximum visible
records
500
Group statistics,
"Activity by Date"
- Maximum visible
records
500
Group statistics,
"Directory
Utilization" Maximum visible
records
500
500
Themes
Page headers
Requests
Buttons
Navigational menus
Searches
Grids
Tabbed content
Dialog boxes
Selecting UI Themes
You can create a completely new look for your UI theme, or you can
customize the classic blue DataPrivilege theme as desired.
To select a UI theme:
214
Configuration
Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. In the Theme area, select the type of theme you want to customize.
Options are:
3. Customize the various elements of the theme, using the links under
Categories.
Deploying UI Themes
To deploy a UI theme:
1. From the left menu bar, select Configuration > Appearance to go to
the Appearance pane.
Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. Hover the mouse cursor over the name of the theme and click the
Deploy link when it is displayed.
215
Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. To preview your customized theme, hover the mouse cursor over the
name of the theme and click the Preview link when it is displayed.
Cloning Themes
You can easily clone a theme you have customized and save it under a new
name.
To clone a theme:
1. From the left menu bar, select Configuration > Appearance to go to
the Appearance pane.
216
Configuration
Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. Hover the mouse cursor over the name of the theme and click the Clone
link when it is displayed.
Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. Hover the mouse cursor over the name of the theme and click the X link
when it is displayed.
217
Headers
Note: The size of the logo image must be:
Height: 51 pixels
Requests
Buttons
Navigational menus
Search components
Grid
Tabbed content
Dialog boxes
218
Configuration
219
Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. In the Header area, set the email header as required:
a. To select the required background color, click the colored square or
type its hexidecimal value in the field.
b. To set the alignment of content in the left pane, select the required
option from the Align drop-down list.
c. To set an image in the left pane:
i. Select the Image option.
ii. Click the Browse button to select the required image.
d. To set text in the left pane:
i. Select the Text option.
ii. Enter the required text in the field.
iii. Set its font, size and color as required.
e. To set the center and right panes, repeat the above steps.
3. In the Body area, set the email body as follows:
a. To select the required background color, click the colored square or
type its hexidecimal value in the field.
b. Set the font, size and color for the three types of text: regular,
emphasized and linked.
4. In the Footer area, set the email footer as follows:
a. To select the required background color, click the colored square or
type its hexidecimal value in the field.
220
Configuration
b. In the Text field, type the boilerplate text to appear at the bottom of
emails, and set its font, size and color.
5. To preview your customization, click Preview.
6. To apply your customization, click Apply.
7. To cancel your customization, click Cancel.
8. To reset your customization, click Reset.
221
3. Under the type of notification you are configuring (request made, request
handled or request summary), set the following elements:
Send options - Select the roles that can receive email from
DataPrivilege regarding requests.
Text at top of message - Select the checkbox and click Edit to create
boilerplate text that appears in the header of the email.
Send reminder - Use the drop-down lists to set the frequency at which
reminders are sent to recipients.
Expiration time - Set the number of days after which the request will
expire if the recipients do not take any action.
222
Configuration
Send options - Select the roles that can receive email from
DataPrivilege regarding entitlement reviews. Recipients receive only
one email regarding entitlement review requests, which provides a link
to the summary page.
Text at top of message - Select the checkbox and click Edit to create
boilerplate text that appears in the header of the email.
Send reminder - Use the drop-down lists to set the frequency at which
reminders are sent to recipients.
Expiration time - Set the number of days after which the request will
expire if the recipients do not take any action.
223
Text at top of message - Select the checkbox and click Edit to create
boilerplate text that appears in the header of the email.
Configuration
Top boilerplate text - Select the checkbox and click Edit to create
boilerplate text that appears in the header of the email.
Bottom boilerplate text - Select the checkbox and click Edit to create
boilerplate text that appears in the footer of the email.
225
1. From the left menu bar, select Configuration > Customized Request
Fields to go to the Customized Request Fields pane.
The currently defined request fields are displayed on two tabs,
Permission Requests and Group Membership Requests.
2. Select the tab for the type of request for which you want to create a new
field.
3. To create a new custom field, click Add.
The Customized Request Field dialog box is displayed.
226
Field name - The name of the new field. The name can include up to
250 characters and must be unique.
Configuration
Description - A description of the new field. You can drag the lower
right corner of the description box to enlarge it.
Field order - The order in which the field is displayed. The order of the
predefined fields cannot be changed; however, customized fields can
be displayed in between predefined fields.
Field is mandatory - Select the check box to make the field mandatory.
UI control - From the drop-down list, select the control object that will
represent the field. This choice determines the remaining properties to
be defined for the field. Options are:
Text box - Select to make the new field an editable text box,
suitable for character, numeric, and date/time data. Set the
following properties:
Text area - Select to make the new field a text area, which is
similar to a text box but with multiple lines. Set the following
properties:
5. Click OK.
The field is added to the relevant request type.
6. Click Preview to see the request type with all fields, both predefined and
customized.
227
228
Translation
Hexadecimal
Value
65536
Delete (special )
10000
131209
Read (special)
20089
190754
2E922
262144
40000
327680
50000
524288
Take Ownership
80000
589824
90000
655489
A0081
786432
C0000
851968
D0000
983551
Deny
F01FF
1048854
Write (special)
100116
1179785
Read (special )
120089
1179808
Execute (special)
1200A0
1179817
List
1200A9
1179926
Write (special)
120116
1180063
12019F
1180086
Add
1201B6
1180095
Add + Read
1201BF
1186479
121AAF
1245321
130089
1245344
1300A0
1245599
13019F
1245631
Change
1301BF
229
Permission
Mask
Translation
Hexadecimal
Value
1441929
160089
1441961
1600A9
1442070
160116
1507775
1701BF
1704073
1A0089
1704096
1A00A0
1704214
1A0116
1769641
1B00A9
1769750
1B0116
1769887
1B019F
1769910
1B01B6
1769919
1B01BF
1966217
1E0089
1966240
1E00A0
1966249
1E00A9
1966358
1E0116
1966495
1E019F
1966518
1E01B6
1966527
1E01BF
2031753
1F0089
2031785
1F00A9
2032031
1F019F
2032054
1F01B6
2032063
All (special )
1F01BF
2032127
Full Control
1F01FF
20331776
1363D00
268435456
Full Control
10000000
230
Description
Approval Requests
Filters the results according to the number of approved requests (for folders and
groups).
Approved Date
Authorizer/Owner
Denied Requests
Filters the results according to the number of denied requests (for folders and
groups).
Domain Name
Enforcement
Entity Type
Explanation
Filters the results according to the specified explanation, which was added by an
owner or authorizer when a request was handled.
Group
Group/Direct User
Group Location
Filters the results according to the logical group locations defined in DataPrivilege.
Note: If no logical group locations have been defined, this filter cannot be used.
Managed Permissions
Filters the results according to folders that have permissions for the specified
managed group.
Management Status
Member (Group/User)
Operation Type
Filters the results according to the specified operation type, which can be one of
the following:
Grant
Revoke
Both
Revoke all
Owner
Path
Permission
Filters the results according to automatic rules that grant the specified
permissions.
Rec Date
231
Filter Name
Description
Filters the results according to entities (folders and groups) that have changed in
the specified domain.
Request By
Request Date
Filters the results according to a specified period of time, during which the
requests were created.
Request For
Filters the results according to requests created for the specified user.
Request ID
Filters the results according to the requested operation type, which can be one of
the following:
Grant
Revoke
Approve
Create
Request Status
Request Type
Requested Folder
Filters the results according to requests created for the specified folder.
Requested Group
Filters the results according to requests created for the specified group.
Role/Role Type
Filters the results according to the specified role type, which can be one of the
following:
Group owner
Group authorizer
Folder owner
Folder authorizer
Rule Name
Rule Status
Filters the results according to the specified rule status, which can be one of the
following:
Enabled
Disabled
Sent To
Signed Date
Filters the results according to the specified period of time during which
entitlement reviews were signed.
Signed Notes
Filters the results according to the specified signed notes (reasons and
explanations).
Status
232
Pending
Complete
Error
DataPrivilege Filters
Filter Name
Description
Filters the results according to the status of an email, which can be one of the
following:
Status Type
Waiting to be processed
Processing error
Sent
Filters the results according to the specified status type of an automatic rule,
which can be one of the following:
Approve
Decline
Subject
Time Stamp
Total Requests
Filters the results according to the specified number of requests made for the
folder or group.
Unique/Protected
Filters the results according to whether or not the folder has unique or protected
permissions.
Unmanaged Permissions
Filters the results according to folders that have permissions for the specified
unmanaged user or group.
User/User Name
233