Certification of Direct vs. Indirect Permissions

  • 7011039
  • 24-Feb-2012
  • 19-Oct-2012

Resolution

The access that can be reviewed and modified in a Certification can depend on how access is granted to an individual as much as which access is granted.

 Consider the following scenario:

  • Windows directory \\winsrv1\appA\data has an access control list containing user Fred and AD group AppAUsers
  • AD group AppAUsers has members Barney, Wilma, and Betty

Access Governance Suite Access Reviews for these users will list the following:

IdentityAccess
Fred\\winsrv1\appA\data
BarneyAppAUsers

Even though Fred and Barney both have access to directory \\winsrv1\appA\data, Fred has "direct" permission to that directory, while Barney has "indirect" permission to it. 

In a user access review, Access Governance Suite includes only direct permissions, because the reviewer can only take action on direct permissions.  The reviewer can remove Fred's access to the directory, but Barney can only have his group membership removed; the group's permissions cannot be modified from within a user access review. 

In Barney's review, clicking the group AppAUsers displays the group's access to the directory, but since the directory permission belongs to the group, no approve or revoke decision can be made on whether Barney has access to the directory from within this review. The only available decision is whether or not he should be a member of the group.  Changing permissions defined for that group would affect all members of the group, some of whom may need access to the directory even if Barney does not.

The group's access permissions can be reviewed and modified through an Account Group Permissions Certification.  Removing access to the directory from that access review would remove the access for all members of the group.