Enterprise Recon 2.3

Data Access Management

PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.


This section covers the following:

Overview

Controlling access to sensitive and PII data is a key concept in many data protection regulations. After taking the first step of data discovery, identifying who has access to the data is necessary to understand the risk of exposure. For example, does everyone with permissions to view a file still require that access? Which files have open permissions (e.g. accessible by everyone in your organization)?

The Data Access Management feature is accessible from the Investigate page and allows users to easily:

  • View and analyze the permissions for sensitive data locations, and
  • Immediately take action to minimize risk by managing and controlling access to those locations.

Requirements

Requirements Description
License Enterprise Recon PRO license.
Master Server Version 2.2 and above.
Agents Version 2.2 and above.
File Systems ER2 will retrieve access permissions and ownership information for match locations in Windows NTFS and Linux / Unix file systems.
Scan Modes Data Access Management is supported for match locations that were scanned as:
  • Local scans with a locally installed Node Agent, or
  • Agentless scans with Proxy Agents - requires WMI connectivity for Windows, and SSH connectivity for Linux / Unix Targets.
    See Agentless Scan Requirements for more information.
User Permissions Resource Permissions that are assigned to a user grants access to specific Data Access Management components:
  • View match location permission details - Detailed Reporting for the Target / Target Group
  • Manage permissions for the match location - Access Control for the Target / Target Group
A Global Admin user has administrative privileges to access and configure all ER2 resources and is therefore not included in the list above.
Active Directory

Active Directory (AD) must be set up and enabled in ER2 to:

  • Retrieve detailed information on AD groups or users that have access permissions to a match location, and
  • View the groups or users in the AD domain when managing and controlling access to those match locations.

You can manage access permissions for AD groups or users by manually adding AD accounts using the <domain>\<groupname_or_username> format.

View Access Status

In the Investigate results grid, the Access column displays the number of unique users that have any level of access permissions to the match location. If a group(s) has access permissions for the given location, unique group members will be calculated as part of the total Access count.

There are two scenarios where "Everyone" instead of the unique user count will be displayed in the Access column.

  • Windows - This applies if the built-in group Everyone has access permissions to the match location.
  • Unix - This applies for match locations that have a non-zero value for the Others permission set.

If ownership or access permissions for a match location has been modified using ER2, a notification icon Enterprise Recon Reassign Permissions icon. will be displayed in the Owner or Access column accordingly. The status of the last access control action performed for a match location will be reflected in the Access Control column.

Example

"File-B.zip" is a match location that the following groups and users have permissions to:

File-B.zip +-- Group-1 +-- Administrator +-- User-1 +-- Group-3 +-- User-3 +-- User-4 +-- Group-2 +-- Administrator +-- User-1 +-- User-2 +-- User-1

The Access column will indicate "3" for "File-B.zip" as there are three unique users who have access to the match location:

  • Administrator
  • User-1
  • User-2

"User-3" and "User-4" are not included in the total Access count as they belong to "Group-3", which is a nested group and child member of "Group-1".

View Access Permissions Details

To view the list of groups, users, or user classes that have any level of access permissions for a match location:

  1. Log into the ER2 Web Console.
  2. Go to the Investigate page.
  3. Click on the match location to bring up the Access panel.
  4. The Access panel displays information about the owner, groups, users or user classes (e.g. Owner, Group, Others) that have access to the match location, and the permissions associated with each group, user, or user class.

Manage and Control Data Access

There are several types of access control actions that can be taken on a match location, such as modifying file ownership properties, revoking access permissions for specific users or groups, and granting access to new users, groups, or user classes.

Manage File Owner

To modify the file owner property for a match location:

  1. Go to the Investigate page.
  2. Select the match location(s) that you want to manage access permissions for.
  3. Click the Control Access button to bring up the Reassign Permissions dialog box.
  4. Click on Change next to the File Owner label to change the file ownership for the location.
  5. Select a new file owner from the list of domain or local user accounts. Alternatively, enter a new user account in the input text field and click Add.
    • New domain account: <domain>\<username>
    • New local account: <username>
  6. (Optional) To reset all changes made to file owner permissions, click Keep existing file owner(s).

Manage Permissions for Groups, Users, and User Classes

To manage the access permissions for a match location:

  1. Go to the Investigate page.
  2. Select the match location(s) that you want to manage access permissions for.
  3. Click the Control Access button to bring up the Reassign Permissions dialog box.
  4. In the Reassign Permissions dialog box, you can
    • Remove specific groups, users, or user classes
    • Modify the permissions for existing groups, users, or user classes
    • Grant permissions to new groups, users, or user classes
    • Keep or revoke permissions for existing groups, users, or user classes
  5. Enter a name in the Please sign-off to confirm reassign field.
  6. Enter a reason in the Reason field.
  7. Click Reassign.
The Control Access button will be disabled if:
  • A selected match location has been removed by another operation (e.g. remediation),
  • A selected match location is a nested object (e.g. a file within a ZIP archive) and not the parent object,
  • Both Windows NTFS and Unix / Linux filesystem match locations are selected, or
  • Unsupported Target locations (e.g. databases, cloud Targets, emails etc...) are selected.

Access Control Actions

Action Description Details
Remove Permissions

Remove groups, users, or user classes from having permissions to match location.

Remove existing groups, users, or user classes from having access permissions to the selected match location(s).
  1. Click the trash icon for a selected group, user, or user class.
Modify Permissions

Modify the permissions for existing groups, users, or user classes.

Modify the permissions for existing groups, users, or user classes.
  1. Click the pencil icon for a selected group, user, or user class.
  2. Add (check) or remove (uncheck) specific permissions granted to the group, user, or user class.
  3. Click Proceed.
Add Permissions

(Change)

Grant access permissions to new groups, users, or user classes.
  1. Click on Change next to the Groups/Users or Group label to change the groups, users, or user classes that have access permissions for the match location.
  2. Add (check) new groups, users, or user classes from the list of domain or local accounts. Alternatively, enter a new group or user in the input text field and click Add.
    • New domain account: <domain>\<groupname_or_username>
    • New local account: <groupname_or_username>
  3. Click the pencil icon next to a newly added group, user, or user class.
  4. Add (check) or remove (uncheck) specific permissions granted to the group, user, or user class.
  5. Click Proceed.
Reset Permissions

(Keep / Keep existing permissions)

Reset all changes (e.g. delete, add, modify) made to the existing groups, users, or user classes with access permissions to the match location(s). The Keep option does not affect the permissions for groups, users, or user classes added using the Change function.
Revoke Permissions

(Revoke)

Revoke permissions for all existing groups, users, or user classes with access permissions to the match location(s).
On Windows file systems, revoking permissions for a location where the "SYSTEM" account is a member of at least one group with existing access permissions to the match location can cause the location to become inaccessible to ER2. This may impact the ability to scan and remediate those locations successfully with ER2.
  • The Revoke option does not remove the file owner permissions for the location.
  • The Revoke option does not affect the permissions for groups, users, or user classes added using the Change function.
  • Revoking Group permissions for a Unix / Linux filesystem location changes the Group to root with no permissions granted.
  • Revoking Others permissions for a Unix / Linux filesystem location removes all permissions for the Others user class.