Periodic entitlement reviews are imperative to ensure that only the right people have access to the right data: unchecked access or infrequent permission reviews leave organizations at risk of data abuse, theft or misuse.
Follow the guide below to create data-centric entitlement reviews using Varonis DatAdvantage.
Browse to Category 04. File System Permissions (ACLs) then expand “Report Name b. User or Group Permissions for Directory.” Expand the Predefined subsection then click on “01. User or Group Permissions for Directory”
The default blank template is displayed on the right viewing panel. There are several predefined filters included.
The “Do not show NONE permissions” is only applicable for Exchange. This filter automatically drops explicitly denied users/groups (those assigned a NONE permissions) on mailboxes from appearing in the report.
The “Simple mode” filter limits advanced report calculations, including from where a user inherits his permissions. Running in simple mode speeds up report generation time (but yields less information).
Check the box next to “Do not show NONE permissions” and “Simple mode” then click the Remove Selected option at the top
The “Only unique folders” filter returns folders that are not inheriting all permissions from the parent folder. This includes “protected” folders (i.e., inheritance is blocked) and folders that have additional entries added or removed from their access control list. Note that folders can be unique, but still have the same effective permissions as their parent folders.
Therefore, a preferred filter is “Distinguished unique.” This filter returns folders that meet the criteria for unique folders are effectively different from their parent folder. This filter will NOT return folders that are protected or have ACL modifications unless it changes who can access the folder. For example, it is possible to block inheritance on a folder and set the ACL to be identical to the parent. These folders will not appear in the report if the distinguished unique filter is used.
Click the “Only unique folders” link to view the filter menu. Mouse over to Access path to expand the menu, then click on the distinguished unique item to select the filter
Click the ellipsis button next to the blank “File server” box to bring up a browse menu. From the menu, place a check in the box next to the server(s) you want to include.
Excluding Admin group members, IT staff group members, backup accounts, and other system or service accounts keeps the report smaller and can save data owners’ time.
Click on the “Equals” link next to “User/Group” then select “Not equals” from the list. Next click the ellipsis button next to the blank “User/Group” box to bring up a search menu
Use the search box to locate the groups to exclude. Once found highlight the user or groups, and click add to bring them to the list. Select all the excluded users/groups at once by adding them to the list before clicking OK.
Recommended users/groups for exclusion: Domain Admins, System, Creator Owner
Click OK when the list is fully populated
Multiple group elements, when selected, are placed into a logical grouping in the filter screen. To filter out all of the users/groups, click on the sub-group header “Any of (OR)” then click on the “All of” filter.
To perform an effective entitlement review it is essential to include the members of each group that has permissions to access the folder being reviewed.
To include group members, click on the top filter group then click on “New Filter” to add a new element to the main list. Click on the new element link to expand the options menu. Mouse over the User/Group category then click on Display group members
Data owners sometimes need help to see which users may not need access. DatAdvantage builds behavior profiles of every user and understands how that user accesses data relative to other users who share the same level of access. By performing this matrix of differentials DatAdvantage creates recommendations for data owners to leverage in their decision making process.
Click on “New Filter” to add a new element to the main list. Click on the new element link to expand the options menu. Click on Calculate recommendations and manual editing
Click the down arrow next to the Calculate recommendations filter then pick “On both folder types”
Click on “New Filter” to add a new element to the main list. Click on the new element link to expand the options menu. Mouse over Access path to expand the list then click on Access path
Click the ellipsis button next to Access path to view the directory picker. Use the “+” sign next to the resources to expand the tree below. Highlight one or more folders for review then click the Add button to add them to the list. Click OK when finished to return to the main filter selection.
This report set is best for a tactical use – to perform entitlement reviews on specific folders, on a limited scale, or an ad hoc basis. To transition to a data-drivel model, modify the template by removing the server filter and the access path filter. When scheduling the report the data driven option will automatically add in the correct information based on data owner assignments in the directory tree
Sorting puts the results in a logical order but does not include or exclude information.
Click on the Sort option at the far right of the menu list
There are several common methods to sort the data. The most popular is by user/group in ascending order to display all of the users alphabetically. A more advanced sorting by “Inherited from Folders” uses the permissions sources as the criteria. This will order direct permissions at the top of the list (any users, or groups directly applied to the ACL), followed by users inheriting from groups. Sorting in this order makes it easy to determine which group is granting access to any particular user. Multiple sorting criteria can be used and applied in a top-down order.
Click the New Sorting button to the left. Click on the new link item to view the sorting menu. Click on “Inherited From Folders”
Make sure the sorting is in ascending order. If it is not, click on the order link, and select Ascending
Optional – Sub-sort by user/group: Click New Sorting. Click on the new item to display the menu then click on User/Group
Grouping report data moves selected columns to a top-level as a logical separation of data. For an entitlement report on one or more folders the logical grouping is by access path. This will pull out the path, if it is different from the parent folder, as a logical top-level and display the users/group with access below.
Click on the Columns tab along the top. Place a check in the “Grouped by” column next to Access path.
Click Run to generate the report
The sample report output displays the Finance folder access path as the top-level resources. Below the path the report items are first sorted by inheritance source with the direct permissions at the top followed by all users getting access from a particular group listed together. The users are sub-sorted by account name in alphabetical order.