Veritas Data Insight User's Guide
- Section I. Introduction
- Section II. Data Insight Workspace
- Navigating the Workspace tab
- Analyzing data using the Workspace views
- Viewing access information for files and folders
- Viewing user activity on files or folders
- About visualizing collaboration on a share
- Viewing access information for users and user groups
- Section III. Data Insight reports
- Using Data Insight reports
- About Data Insight security reports
- Permissions reports
- Permissions Search report
- Creating a Permissions Query Template
- Permissions Query Template actions
- Ownership Reports
- About Data Insight storage reports
- About Data Insight custom reports
- Managing reports
- Viewing reports
- Using Data Insight reports
- Section IV. Remediation
- Configuring remediation workflows
- Managing workflow templates
- Creating a workflow using a template
- Managing workflows
- Using the Self-Service Portal
- About the Self-Service Portal
- Managing data
- About managing data using Enterprise Vault and custom scripts
- About adding tags to files, folders, and shares
- Managing permissions
- Configuring remediation workflows
- Appendix A. Command Line Reference
Creating custom rules
Data Insight lets you create custom permission search rules which are a combination of multiple criteria that includes the type of permission, the scope of the report output, and attribute filters, as required. These custom rules can be saved to a Permissions Query Template along with the predefined rules.
You must create different rules to search for specific ACEs or ACLs that match or violate the rules that you define.
To create a custom rule
- On the Configuration tab, select Select Template > Manage Templates.
- On the Manage Templates pop-up, select Create Template.
- Enter a logical name for the template.
- From the drop-down, select whether you want to create a custom rule to search for ACLs or ACEs.
- Select the match type criteria for evaluating the rules.
- Select Add Rule > Custom Rule.
- On the Custom Rule panel, you can select options from the high-level categories, Permissions and Trustee.
- You can use conditions based on the configured custom attributes to refine the selections that are made in the Trustee section. The available conditions depend on the configured custom attributes. For information about configuring custom attributes, see the Veritas Data Insight Administrator's Guide.
- Select Inheritance is broken if you want to search for paths with unique permissions. If you select this option, the report output displays only those paths or sites that do not inherit permissions from the parent.
- Select Share permissions are more restrictive than file system ACLs to display such paths where trustees are allowed permissions at the filer level but denied access at the share-level.
- Select an operator and specify a value for the Path Depth. This option can be used to search for paths where unique permissions are defined at a certain depth in the file system hierarchy.
- Select Duplicate ACEs to search for such ACLs that contain an ACE on the path that is inherited and an identical ACE that is explicitly defined.
- Click Save Rule to add the rule to the Permission Query Template.
Note:
The criteria that are selected in each section on the Custom Rule panel are combined to form a rule.
Permissions
Selections in the Permission section let you specify the CIFS and SharePoint permissions that you want to search. By default, you can select the most common CIFS permissions or the default SharePoint permission levels or select in the drop-down to select the meta access types for CIFS and SharePoint. If you select more than one Advanced permission, you can further use the Match All or Match Any criteria to decide whether Data Insight must search for all or any of the selected permissions.
Note:
and options are only applicable to search for CIFS permissions. For SharePoint paths, Data Insight considers by default.
Table: describes how these options can be combined to create a search rule.
Table:
If you want to... | Use this search criteria |
---|---|
Search for trustees who are allowed full control | Select the check box, and Click or , as the case may be.Select in case of CIFS permissions and in case of SharePoint permissions.. |
Search for trustees denied the type of permission on CIFS paths. | Select the check box and select > . |
Search for trustees with allow Write type of permission on CIFS paths . | Select the check box, from the drop-down, select > > . This displays a list of all Windows Advance permissions. Select the check box. |
Search for trustees with ManageLists type of permission for SharePoint paths. | From the drop-down, select , and click . This displays a list of all SharePoint permissions associated with the default permission levels. Select the check box. |
Note:
Use the options in the Permissions section with the options in the Trustee section to further refine your search criteria.
Trustee
Selections in the Trustee section determine whether you want to display users, groups, unresolved SIDs, or any of these in the Permission Search report output.
Table:
If you want to... | Use this search criteria |
---|---|
Search permissions that are assigned to groups of type domain local, where the group name starts with xyz. | Trustee Type - From the drop-down, select Group. By default, the group tab is selected, and the options for defining the scope for Groups are displayed. Scope - select Add a condition using the drop-down; select an attribute, operand, and a value for the attribute. For example, Name = xyz. |
Search for trustee of type Universal, where the status of the group is deleted. |
|
Search for all deleted Built-in Local users. |
|
Search for the Global groups whose direct user member is Joe. |
|
Note that the all selections on the Custom Rule page are optional. Data Insight uses the Any option, where available, as the default option when no selection is made.
Table: Example scenarios and corresponding custom rules describes the various options that you must select to create custom rules for different scenarios.
Table: Example scenarios and corresponding custom rules
Scenario | Example custom rules |
---|---|
Search for individual users excluding users belonging to the department called Admin. | In the Trustee section, select and add the condition, Department != Admin. |
Search for use of permissions to global groups. | For this scenario, you must create a custom rule to search for global groups that have permissions on paths. In the Trustee section, select > . |
Permission best practice suggests that only local domain groups should be trustees and a global security group should inherit permissions from a local domain group. Rule - Detect global groups with explicit permissions. | Rule - In the Trustee section, select > . For this rule, the report output will list all Global groups that have explicit permissions assigned to them. |
Search for a groups containing more than one direct member groups. | In the Trustee section, select . In the attribute filter, add the following condition: Direct group count > 1 |
Search for local domain groups with more than one global group. Ideally, every domain local group should not have more than one global group. | In the Trustee section, select and select the scope as . On the Member tab, select the following:
|
Search for groups with direct user members of type local whose name contains Joe. | In the Trustee section, select and on the tab, select the following:
In the attribute filter, Logon name contains Joe. |
Search for global groups that contain member groups. As a best practice, global groups should only contain users accounts as members. | In the Trustee section, select . In the attribute filter, select Direct group count > 0. |