Veritas Data Insight User's Guide

Last Published:
Product(s): Data Insight (6.1.2)
  1. Section I. Introduction
    1. Introducing Veritas Data Insight
      1.  
        About Veritas Data Insight
      2.  
        About data custodian
      3.  
        About permissions
      4.  
        About SharePoint permissions
      5.  
        About Box permissions
      6.  
        About audit logs
      7.  
        About migrated domains
      8.  
        Applications for Symantec Data Loss Prevention
      9.  
        Content classification using Veritas Information Classifier
    2. Using the Veritas Data Insight Management Console
      1. About the Veritas Data Insight Management Console
        1.  
          Header
        2.  
          Tabs
        3.  
          Navigation pane
        4.  
          Content pane
      2.  
        Operation icons on the Management Console
      3.  
        Logging in to the Data Insight Management Console
      4.  
        Logging out of the Data Insight Management Console
      5.  
        Accessing online Help
  2. Section II. Data Insight Workspace
    1. Navigating the Workspace tab
      1.  
        About the Data Insight Workspace
      2.  
        Using the Workspace filters
      3.  
        Managing the Workspace
      4.  
        Searching the storage device hierarchy
      5.  
        Searching for users and user groups
    2. Analyzing data using the Workspace views
      1.  
        About information risk
      2.  
        Viewing summary of data sources
      3. Viewing shares summary
        1.  
          About control points
      4.  
        About the risk score for users
      5. About the Risk Dossier
        1.  
          Assessing risky users - an example scenario
      6.  
        Viewing user summary
      7.  
        Viewing details of Watchlist users
      8.  
        Viewing details of alert notifications
    3. Viewing access information for files and folders
      1.  
        About viewing file or folder summary
      2.  
        Viewing the overview of a data source
      3.  
        Managing data custodian for paths
      4.  
        Viewing the summary of user activity on a file or folder
      5. Viewing user activity on files or folders
        1.  
          Assigning an inferred data owner as custodian
        2.  
          Assigning an active user as custodian
        3.  
          Assigning a custodian from the Permissions tab
      6.  
        Viewing file and folder activity
      7.  
        Viewing CIFS permissions on folders
      8.  
        Viewing NFS permissions on folders
      9.  
        Viewing SharePoint permissions for folders
      10.  
        Viewing Box permissions on folders
      11.  
        Viewing audit logs for files and folders
      12. About visualizing collaboration on a share
        1.  
          Analyzing activity on collaborative shares
    4. Viewing access information for users and user groups
      1.  
        Viewing the overview of a user
      2.  
        Viewing the overview of a group
      3.  
        Managing custodian assignments for users
      4.  
        Viewing folder activity by users
      5.  
        Viewing CIFS permissions for users
      6.  
        Viewing CIFS permissions for user groups
      7.  
        Viewing NFS permissions for users and user groups
      8.  
        Viewing SharePoint permissions for users and user groups
      9.  
        Viewing Box permissions for users and user groups
      10.  
        Viewing audit logs for users
  3. Section III. Data Insight reports
    1. Using Data Insight reports
      1.  
        About Data Insight reports
      2.  
        How Data Insight reporting works
      3.  
        Creating a report
      4. About Data Insight security reports
        1.  
          Activity Details report
        2. Permissions reports
          1.  
            Inactive Users
          2.  
            Path Permissions
          3. Permissions Search report
            1.  
              Create Permissions Search report
          4.  
            About Permissions Query templates
          5. Creating a Permissions Query Template
            1.  
              Using the match-type criteria
          6.  
            Creating custom rules
          7. Permissions Query Template actions
            1.  
              Editing or deleting a Permissions Query Template
            2.  
              Copying a Permissions Query Template
            3.  
              About sharing a Permissions Query Template
          8.  
            Using Permissions Search report output to remediate permissions
          9.  
            Entitlement Review
          10.  
            User/Group Permissions
          11.  
            Group Change Impact Analysis
        3. Ownership Reports
          1.  
            Data Custodian Summary
          2.  
            Inferred Owner
          3.  
            Data Inventory Report
      5.  
        Create/Edit security report options
      6.  
        Data Insight limitations for Box permissions
      7. About Data Insight storage reports
        1.  
          Activity Summary reports
        2. Capacity reports
          1.  
            Filer Utilization
          2.  
            Filer Growth Trend
        3. Data Lifecycle reports
          1.  
            Inactive Data by File Group
          2.  
            Inactive Data by Owner
          3.  
            Data Aging
          4.  
            Inactive Folders
        4. Consumption Reports
          1.  
            Potential Duplicate Files
          2.  
            Consumption by Folders
          3.  
            Consumption by Department
          4.  
            Consumption by File Group
          5.  
            Consumption by Owner
          6.  
            Consumption by File Group and Owner
      8.  
        Create/Edit storage report options
      9. About Data Insight custom reports
        1.  
          About DQL query templates
        2.  
          Creating custom templates for DQL queries
        3.  
          Create/Edit DQL report options
      10.  
        Considerations for importing paths using a CSV file
    2. Managing reports
      1.  
        About managing Data Insight reports
      2. Viewing reports
        1.  
          About stale information in reports
      3.  
        Filtering a report
      4.  
        Editing a report
      5.  
        About sharing reports
      6.  
        Copying a report
      7.  
        Running a report
      8.  
        Viewing the progress of a report
      9.  
        Customizing a report output
      10.  
        Configuring a report to generate a truncated output
      11.  
        Sending a report by email
      12.  
        Automatically archiving reports
      13.  
        Canceling a report run
      14.  
        Deleting a report
      15.  
        Considerations for viewing reports
      16.  
        Organizing reports using labels
  4. Section IV. Remediation
    1. Configuring remediation workflows
      1.  
        About remediation workflows
      2.  
        Prerequisites for configuring remediation workflows
      3.  
        Configuring Self-Service Portal settings
      4.  
        About workflow templates
      5. Managing workflow templates
        1.  
          Create/Edit Entitlement Review workflow template
        2.  
          Create/Edit DLP Incident Remediation workflow template
        3.  
          Create/Edit Ownership Confirmation workflow template
        4.  
          Create/Edit Records Classification workflow template
      6. Creating a workflow using a template
        1. Create Entitlement Review workflow options
          1.  
            Customizing Entitlement Review report output
        2.  
          Create DLP Incident Remediation workflow options
        3.  
          Create Ownership Confirmation workflow options
        4.  
          Create Records Classification workflow options
      7. Managing workflows
        1.  
          Viewing details of submitted workflows
        2.  
          Extending the deadline of a workflow
        3.  
          Copying a workflow
        4.  
          Managing submitted workflows
        5.  
          Canceling or deleting a workflow
      8.  
        Auditing workflow paths
      9.  
        Monitoring the progress of a workflow
      10.  
        Remediating workflow paths
    2. Using the Self-Service Portal
      1. About the Self-Service Portal
        1.  
          About Entitlement Review
      2.  
        Logging in to the Self-Service Portal
      3.  
        Using the Self-Service Portal to review user entitlements
      4.  
        Using the Self-Service Portal to manage Data Loss Prevention (DLP) incidents
      5.  
        Using the Self-Service Portal to confirm ownership of resources
      6.  
        Using the Self-Service Portal to classify sensitive data
    3. Managing data
      1. About managing data using Enterprise Vault and custom scripts
        1.  
          About Retention categories
        2.  
          About post-processing actions
      2.  
        Managing data from the Shares list view
      3.  
        Managing inactive data from the Folder Activity tab
      4.  
        Managing inactive data by using a report
      5.  
        Archiving workflow paths using Enterprise Vault
      6.  
        Using custom scripts to manage data
      7.  
        Pushing classification tags while archiving files into Enterprise Vault
      8. About adding tags to files, folders, and shares
        1.  
          Using the metadata framework for classification and remediation
    4. Managing permissions
      1.  
        About permission visibility
      2.  
        About recommending permission changes
      3. About recommending permissions changes for inactive users
        1.  
          Reviewing permission recommendations
        2.  
          Analyzing permission recommendations and applying changes
      4.  
        Making permission changes directly from Workspace
      5.  
        Removing permissions for Entitlement Review workflow paths
  5. Appendix A. Command Line Reference
    1.  
      mxcustodian

Creating custom rules

Data Insight lets you create custom permission search rules which are a combination of multiple criteria that includes the type of permission, the scope of the report output, and attribute filters, as required. These custom rules can be saved to a Permissions Query Template along with the predefined rules.

You must create different rules to search for specific ACEs or ACLs that match or violate the rules that you define.

To create a custom rule

  1. On the Configuration tab, select Select Template > Manage Templates.
  2. On the Manage Templates pop-up, select Create Template.

    See Creating a Permissions Query Template.

  3. Enter a logical name for the template.
  4. From the drop-down, select whether you want to create a custom rule to search for ACLs or ACEs.
  5. Select the match type criteria for evaluating the rules.

    See Using the match-type criteria.

  6. Select Add Rule > Custom Rule.
  7. On the Custom Rule panel, you can select options from the high-level categories, Permissions and Trustee.
  8. You can use conditions based on the configured custom attributes to refine the selections that are made in the Trustee section. The available conditions depend on the configured custom attributes. For information about configuring custom attributes, see the Veritas Data Insight Administrator's Guide.
  9. Select Inheritance is broken if you want to search for paths with unique permissions. If you select this option, the report output displays only those paths or sites that do not inherit permissions from the parent.
  10. Select Share permissions are more restrictive than file system ACLs to display such paths where trustees are allowed permissions at the filer level but denied access at the share-level.
  11. Select an operator and specify a value for the Path Depth. This option can be used to search for paths where unique permissions are defined at a certain depth in the file system hierarchy.
  12. Select Duplicate ACEs to search for such ACLs that contain an ACE on the path that is inherited and an identical ACE that is explicitly defined.
  13. Click Save Rule to add the rule to the Permission Query Template.

Note:

The criteria that are selected in each section on the Custom Rule panel are combined to form a rule.

Permissions

Selections in the Permission section let you specify the CIFS and SharePoint permissions that you want to search. By default, you can select the most common CIFS permissions or the default SharePoint permission levels or select Advanced in the drop-down to select the meta access types for CIFS and SharePoint. If you select more than one Advanced permission, you can further use the Match All or Match Any criteria to decide whether Data Insight must search for all or any of the selected Advanced permissions.

Note:

Allow and Deny options are only applicable to search for CIFS permissions. For SharePoint paths, Data Insight considers Allow by default.

Table:  describes how these options can be combined to create a search rule.

Table:

If you want to...

Use this search criteria

Search for trustees who are allowed full control

Select the Allow check box, and Click CIFS Permissions or SharePoint Permissions, as the case may be.

Select Full in case of CIFS permissions and FullControl in case of SharePoint permissions..

Search for trustees denied the Modify type of permission on CIFS paths.

Select the Deny check box and select CIFS Permissions >Modify.

Search for trustees with allow Write type of permission on CIFS paths .

Select the Allow check box, from the drop-down, select CIFS Permissions > Advanced > Match All. This displays a list of all Windows Advance permissions. Select the Write Data check box.

Search for trustees with ManageLists type of permission for SharePoint paths.

From the drop-down, select Advanced, and click SharePoint Permissions. This displays a list of all SharePoint permissions associated with the default permission levels. Select the ManageLists check box.

Note:

Use the options in the Permissions section with the options in the Trustee section to further refine your search criteria.

Trustee

Selections in the Trustee section determine whether you want to display users, groups, unresolved SIDs, or any of these in the Permission Search report output.

Table:

If you want to...

Use this search criteria

Search permissions that are assigned to groups of type domain local, where the group name starts with xyz.

Trustee Type - From the drop-down, select Group. By default, the group tab is selected, and the options for defining the scope for Groups are displayed.

Scope - select Domain Local

Add a condition using the Select filter drop-down; select an attribute, operand, and a value for the attribute. For example, Name = xyz.

Search for trustee of type Universal, where the status of the group is deleted.

  • Trustee Typee - From the drop-down, select Group. By default, the group tab is selected, and the options for defining the scope for Groups are displayed.

  • Scope - select Universal

  • Status - Deleted

Search for all deleted Built-in Local users.

  • Trustee Type - From the drop-down, select User.

  • Scope - Local

  • Type - Built-in

  • Status - Deleted

Search for the Global groups whose direct user member is Joe.

  • Trustee Type - From the drop-down, select Group. By default, the Group tab is selected.

  • Scope - Global

  • Click the Member tab.

  • Member Type -User

  • Membership Type - Direct

  • Add a condition using the Select filter drop-down; select an attribute, operand, and a value for the attribute. For example, Log on Name contains Joe.

Note that the all selections on the Custom Rule page are optional. Data Insight uses the Any option, where available, as the default option when no selection is made.

Example custom rules

Table: Example scenarios and corresponding custom rules describes the various options that you must select to create custom rules for different scenarios.

Table: Example scenarios and corresponding custom rules

Scenario

Example custom rules

Search for individual users excluding users belonging to the department called Admin.

In the Trustee section, select User and add the condition, Department != Admin.

Search for use of permissions to global groups.

For this scenario, you must create a custom rule to search for global groups that have permissions on paths.

In the Trustee section, select Group > Global.

Permission best practice suggests that only local domain groups should be trustees and a global security group should inherit permissions from a local domain group.

Rule - Detect global groups with explicit permissions.

Rule - In the Trustee section, select Group > Global.

For this rule, the report output will list all Global groups that have explicit permissions assigned to them.

Search for a groups containing more than one direct member groups.

In the Trustee section, select Group.

In the attribute filter, add the following condition:

Direct group count > 1

Search for local domain groups with more than one global group. Ideally, every domain local group should not have more than one global group.

In the Trustee section, select Group and select the scope as Domain Local.

On the Member tab, select the following:

  • Member Type - Group

  • Membership Type - Any

  • Scope - Local Domain

Search for groups with direct user members of type local whose name contains Joe.

In the Trustee section, select Group and on the Member tab, select the following:

  • Member Type - User

  • Membership Type - Direct

  • Scope - Local

In the attribute filter, Logon name contains Joe.

Search for global groups that contain member groups. As a best practice, global groups should only contain users accounts as members.

In the Trustee section, select Group.

In the attribute filter, select Direct group count > 0.

See Creating a Permissions Query Template.