000033419 - Data Access Review for the file share does not show the accounts which have access to file share via the group in RSA Identity Governance and Lifecycle

Document created by RSA Customer Support Employee on Sep 21, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033419
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
IssueIf you are collecting file shares using Data Access Governance (DAG) collectors in G&L, collected file shares might have access to both groups and accounts. Each group might have accounts and users as its members. When you run the default Data Access Review, for a given file share, you might find that sometimes it shows accounts which have access to a file share via a group and sometimes it does not show accounts which have access to a file
The file share below shows access to six groups and one account:
User-added image

One of the groups has account as its member:
User-added image

The screen shot below shows Data Access Review and its contents:
User-added image

User-added image

This screen shot shows the group DLG_FS_NAS_WholeNAS_Modify whose members are not included in review result:
User-added image
ResolutionBelow is the behavior of groups and accounts in groups in Data Access Reviews.

Groups are of two types:

  • Managed.  Groups that have access to just one data resource. Such groups have the column MANAGEDRES_TYPE set to a value of D in internal table T_GROUPS.
  • Non Managed.  Groups that have no access to none or more than one data resource.

When the option For each member, review the data resource granted from a data resource group is selected on review definition, the following happens:

User-added image

  1. If a group is managed, the relation of group to data resource will not be reviewed. Instead, the access of accounts in the group to the data resource will be reviewed.
  2. If a group is non managed, the relation of group to data resources will be reviewed. The access derived by accounts in that group to the group’s data resources will not be reviewed.
  3. So, from number 2 above, it can be said that for a given group, either a group is reviewed (non managed) or accounts in the group (managed) are reviewed but not both at a time.

That is the expected behavior today.