Enterprise Recon 2.5.0
Data Access Management
PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.
This section covers the following:
- Overview
- Requirements
- Enable Data Access Management
- Disable Data Access Management
- View Access Status
- Manage and Control Data Access
Overview
Controlling access to sensitive and PII data is a key concept in many data protection regulations. After taking the first step of data discovery, identifying who has access to the data is necessary to understand the risk of exposure. For example, does everyone with permissions to view a file still require that access? Which files have open permissions (e.g. accessible by everyone in your organization)?
With the Data Access Management feature, users can easily:
- View and analyze the access permissions and ownership information for sensitive data locations, and
- Immediately take action to minimize risk by managing and controlling access to those locations from the Investigate page.
The Data Access Management feature is disabled by default for:
- New installations of ER2 with the Enterprise Recon PRO license, and
- Existing installations of ER2 when upgrading from Enterprise Recon PCI or Enterprise Recon PII to an Enterprise Recon PRO license.
See Requirements and Enable Data Access Management for more information.
Requirements
Requirements | Description |
---|---|
License | Enterprise Recon PRO license. |
Master Server | Version 2.2 and above. |
Agents | Version 2.2 and above. |
File Systems | ER2 will retrieve access permissions and ownership information for match locations in Windows NTFS, Linux / Unix and macOS file systems. |
Scan Modes | Data Access Management is supported for match locations that
were scanned as:
|
User Permissions | Enable Data Access Management
View match location permission details
Manage permissions for the match location
A Global Admin user has administrative privileges to access and configure all
ER2 resources and is therefore
not included in the list above.
|
Active Directory | Active Directory (AD) must be set up and enabled in ER2 to:
You can manage access permissions for AD groups or users by manually adding AD accounts using the <domain>\<groupname_or_username> format.
|
Enable Data Access Management
When the Data Access Management feature is enabled, ER2 retrieves access permissions and ownership information in scans for supported Target locations. Users can then navigate to the Investigate page to analyze these access details and take the appropriate access control action to secure access to these locations.
Users with Global Admin and System Manager permissions can enable the Data Access Management feature in the Settings > Remediation > PRO Settings page.
To enable Data Access Management:
- Log in to the ER2 Web Console.
- On the Settings > Remediation > PRO Settings page, go to the Data Access Management section.
- Set the toggle button to On.
Disable Data Access Management
Users with Global Admin and System Manager permissions can disable the Data Access Management feature in the Settings > Remediation > PRO Settings page.
Disabling the Data Access Management feature will result in the following:
- Access permissions information of all current match locations will not be viewable.
- Access permissions information will not be retrieved for match locations if the feature is disabled prior to the start of the scan.
- Access Control Actions will be unavailable.
To disable Data Access Management:
- Log in to the ER2 Web Console.
- On the Settings > Remediation > PRO Settings page, go to the Data Access Management section.
- Set the toggle button to Off.
View Access Status
In the Investigate results grid, the Access column displays the number of unique users that have any level of access permissions to the match location. If a group(s) has access permissions for the given location, unique group members will be calculated as part of the total Access count.
To view updated Access count information, wait for the periodic update of AD account information and rerun a scan on the impacted match location(s).
There are two scenarios where "Everyone" instead of the unique user count will be displayed in the Access column.
- Windows - This applies if the built-in group Everyone has access permissions to the match location.
- Unix and macOS - This applies for match locations that have a non-zero value for the Others permission set.
If ownership or access permissions for a match location has been modified using ER2, a notification icon will be displayed in the Owner or Access column accordingly. The status of the last access control action performed for a match location will be reflected in the Access Control column.
Example
"File-B.zip" is a match location that the following groups and users have permissions to:
File-B.zip
+-- Group-1
+-- Administrator
+-- User-1
+-- Group-3
+-- User-3
+-- User-4
+-- Group-2
+-- Administrator
+-- User-1
+-- User-2
+-- User-1
The Access column will indicate "3" for "File-B.zip" as there are three unique users who have access to the match location:
- Administrator
- User-1
- User-2
"User-3" and "User-4" are not included in the total Access count as they belong to "Group-3", which is a nested group and child member of "Group-1".
View Access Permissions Details
To view the list of groups, users, or user classes that have any level of access permissions for a match location:
- Log in to the ER2 Web Console.
- Go to the Investigate page.
- Click on the match location to bring up the Access panel.
-
The Access panel displays information about the owner, groups, users or user classes (e.g. Owner, Group, Others) that have access to the match location, and the permissions associated with each group, user, or user class.
If a group or user with access permissions to a location is deleted from the Target system, the Access panel displays the ID instead of the group or user name.
Manage and Control Data Access
There are several types of access control actions that can be taken on a match location, such as modifying file ownership properties, revoking access permissions for specific users or groups, and granting access to new users, groups, or user classes.
Manage File Owner
To modify the file owner property for a match location:
- Go to the Investigate page.
- Select the match location(s) that you want to manage access permissions for.
- Click the Control Access button to bring up the Reassign Permissions dialog box.
- Click on Change next to the File Owner label to change the file ownership for the location.
- Select a new file owner from the list of domain or local user accounts.
Alternatively, enter a new user account in the input text field and click
Add.
- New domain account: <domain>\<username>
- New local account: <username>
- Enter a name in the Please sign-off to confirm reassign field.
- Enter a reason in the Reason field.
- Click Reassign.
- (Optional) To reset all changes made to file permissions, click Cancel to cancel the operation.
For Windows locations, using the Change option changes the "Owner" attribute of the file or folder to a new user, but does not automatically remove the existing access permissions (e.g. Execute, Read, Write) for the previous owner.
Manage Permissions for Groups, Users, and User Classes
To manage the access permissions for a match location:
- Go to the Investigate page.
- Select the match location(s) that you want to manage access permissions for.
- Click the Control Access button to bring up the Reassign Permissions dialog box.
- In the Reassign Permissions dialog box, you can
- Remove specific groups, users, or user classes
- Modify the permissions for existing groups, users, or user classes
- Grant permissions to new groups, users, or user classes
- Keep or revoke permissions for existing groups, users, or user classes
- Enter a name in the Please sign-off to confirm reassign field.
- Enter a reason in the Reason field.
- Click Reassign.
- (Optional) To reset all changes made to file permissions, click Cancel to cancel the operation.
- A selected match location has been removed by another operation (e.g. remediation),
- A selected match location is a nested object (e.g. a file within a ZIP archive) and not the parent object,
- Match locations across different file systems (e.g. Windows NTFS, Unix/Linux, or macOS) are selected, or
- Unsupported Target locations (e.g. databases, cloud Targets, emails etc...) are selected.
Access Control Actions
Action | Description | Details |
---|---|---|
Remove Permissions | Remove existing groups, users, or user classes from having access permissions to the selected match location(s). |
|
Modify Permissions | Modify the permissions for existing groups, users, or user classes. |
|
Add Permissions
(Change) |
Grant access permissions to new groups, users, or user classes. |
|
Reset Permissions
(Keep / Keep existing permissions) |
Reset all changes (e.g. delete, add, modify) made to the existing groups, users, or user classes with access permissions to the match location(s). | The Keep option does not affect the permissions for groups, users, or user classes added using the Change function. |
Revoke Permissions
(Revoke) |
Revoke permissions for all existing groups, users, or user classes with access permissions to the match location(s).
On Windows file systems, revoking permissions for a location where the "SYSTEM" account is a member of at least
one group with existing access permissions to the match location can cause the location to become inaccessible to
ER2. This may impact the ability to scan and remediate those
locations successfully with ER2.
|
|