Data Access Management

PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.

This section covers the following:

Overview
Requirements
View Access Status
- View Access Permissions Details
Manage and Control Data Access

Overview

Controlling access to sensitive and PII data is a key concept in many data protection regulations. After taking the first step of data discovery, identifying who has access to the data is necessary to understand the risk of exposure. For example, does everyone with permissions to view a file still require that access? Which files have open permissions (e.g. accessible by everyone in your organization)?

The Data Access Management feature is accessible from the Investigate page and allows users to easily:

View and analyze the permissions for sensitive data locations, and
Immediately take action to minimize risk by managing and controlling access to those locations.

ER2 does not retrieve access permission information for all scanned locations; this data is only captured for locations that result in sensitive data matches.

Access and permissions details will not be available for locations scanned with ER 2.1 and prior. Upgrade the Master Server and Agents to version 2.2, and rescan Targets to get access permissions information for match locations.

Requirements

Requirements	Description
License	Enterprise Recon PRO license.
Master Server	Version 2.2 and above.
Agents	Version 2.2 and above.
File Systems	ER2 will retrieve access permissions and ownership information for match locations in Windows NTFS and Linux / Unix file systems.
Scan Modes	Data Access Management is supported for match locations that were scanned as: Local scans with a locally installed Node Agent, or Agentless scans with Proxy Agents - requires WMI connectivity for Windows, and SSH connectivity for Linux / Unix Targets. See Agentless Scan Requirements for more information.
User Permissions	Resource Permissions that are assigned to a user grants access to specific Data Access Management components: View match location permission details - Detailed Reporting for the Target / Target Group Manage permissions for the match location - Access Control for the Target / Target Group A Global Admin user has administrative privileges to access all ER2 resources and is therefore not included in the list above.
Active Directory	Active Directory (AD) must be set up and enabled in ER2 to: Retrieve detailed information on AD groups or users that have access permissions to a match location, and View the groups or users in the AD domain when managing and controlling access to those match locations. You can manage access permissions for AD groups or users by manually adding AD accounts using the <domain>\<groupname_or_username> format.

View Access Status

In the Investigate results grid, the Access column displays the number of unique users that have any level of access permissions to the match location. If a group(s) has access permissions for the given location, unique group members will be calculated as part of the total Access count.

There are two scenarios where "Everyone" instead of the unique user count will be displayed in the Access column.

Windows - This applies if the built-in group Everyone has access permissions to the match location.
Unix - This applies for match locations that have a non-zero value for the Others permission set.

The Access count does not calculate users that belong to nested user groups.

If ownership or access permissions for a match location has been modified using ER2, a notification icon will be displayed in the Owner or Access column accordingly. The status of the last access control action performed for a match location will be reflected in the Access Control column.

Example

"File-B.zip" is a match location that the following groups and users have permissions to:

File-B.zip +-- Group-1 +-- Administrator +-- User-1 +-- Group-3 +-- User-3 +-- User-4 +-- Group-2 +-- Administrator +-- User-1 +-- User-2 +-- User-1

The Access column will indicate "3" for "File-B.zip" as there are three unique users who have access to the match location:

Administrator
User-1
User-2

"User-3" and "User-4" are not included in the total Access count as they belong to "Group-3", which is a nested group and child member of "Group-1".

View Access Permissions Details

To view the list of groups, users, or user classes that have any level of access permissions for a match location:

Log into the ER2 Web Console.
Go to the Investigate page.
Click on the match location to bring up the Access panel.
The Access panel displays information about the owner, groups, users or user classes (e.g. Owner, Group, Others) that have access to the match location, and the permissions associated with each group, user, or user class.

If a group or user with access permissions to a location is deleted from the Target system, the Access panel displays the ID instead of the group or user name.

Manage and Control Data Access

There are several types of access control actions that can be taken on a match location, such as modifying file ownership properties, revoking access permissions for specific users or groups, and granting access to new users, groups, or user classes.

Manage File Owner

To modify the file owner property for a match location:

Go to the Investigate page.
Select the match location(s) that you want to manage access permissions for.
Click the Control Access button to bring up the Reassign Permissions dialog box.
Click on Change next to the File Owner label to change the file ownership for the location.
Select a new file owner from the list of domain or local user accounts. Alternatively, enter a new user account in the input text field and click Add.
- New domain account: <domain>\<username>
- New local account: <username>
(Optional) To reset all changes made to file owner permissions, click Keep existing file owner(s).

For Windows locations, using the Change option changes the "Owner" attribute of the file or folder to a new user, but does not remove the existing access permissions (e.g. Execute, Read, Write) for the previous owner.

Manage Permissions for Groups, Users, and User Classes

To manage the access permissions for a match location:

Go to the Investigate page.
Select the match location(s) that you want to manage access permissions for.
Click the Control Access button to bring up the Reassign Permissions dialog box.
In the Reassign Permissions dialog box, you can
- Remove specific groups, users, or user classes
- Modify the permissions for existing groups, users, or user classes
- Grant permissions to new groups, users, or user classes
- Keep or revoke permissions for existing groups, users, or user classes
Enter a name in the Please sign-off to confirm reassign field.
Enter a reason in the Reason field.
Click Reassign.

The Control Access button will be disabled if:

A selected match location has been removed by another operation (e.g. remediation),
A selected match location is a nested object (e.g. a file within a ZIP archive) and not the parent object,
Both Windows NTFS and Unix / Linux filesystem match locations are selected, or
Unsupported Target locations (e.g. databases, cloud Targets, emails etc...) are selected.

Access Control Actions

Action	Description	Details
Remove Permissions	Remove existing groups, users, or user classes from having access permissions to the selected match location(s).	Click the trash icon for a selected group, user, or user class.
Modify Permissions	Modify the permissions for existing groups, users, or user classes.	Click the pencil icon for a selected group, user, or user class. Add (check) or remove (uncheck) specific permissions granted to the group, user, or user class. Click Proceed.
Add Permissions (Change)	Grant access permissions to new groups, users, or user classes.	Click on Change next to the Groups/Users or Group label to change the groups, users, or user classes that have access permissions for the match location. Add (check) new groups, users, or user classes from the list of domain or local accounts. Alternatively, enter a new group or user in the input text field and click Add. New domain account: <domain>\<groupname_or_username> New local account: <groupname_or_username> Click the pencil icon next to a newly added group, user, or user class. Add (check) or remove (uncheck) specific permissions granted to the group, user, or user class. Click Proceed.
Reset Permissions (Keep / Keep existing permissions)	Reset all changes (e.g. delete, add, modify) made to the existing groups, users, or user classes with access permissions to the match location(s).	The Keep option does not affect the permissions for groups, users, or user classes added using the Change function.
Revoke Permissions (Revoke)	Revoke permissions for all existing groups, users, or user classes with access permissions to the match location(s). On Windows file systems, revoking permissions for a location where the "SYSTEM" account is a member of at least one group with existing access permissions to the match location can cause the location to become inaccessible to ER2. This may impact the ability to scan and remediate those locations successfully with ER2.	The Revoke option does not remove the file owner permissions for the location. The Revoke option does not affect the permissions for groups, users, or user classes added using the Change function. Revoking Group permissions for a Unix / Linux filesystem location changes the Group to root with no permissions granted. Revoking Others permissions for a Unix / Linux filesystem location removes all permissions for the Others user class.