Вы находитесь на странице: 1из 36

DataPrivilege 5.

8
Users Quick Start Guide
Publishing Information
Software version 5.8.21
Document version 5
Publication date September, 2012; updated January 30, 2013
Copyright 2005 - 2013 Varonis Systems Inc.
All rights reserved.
This information shall only be used in conjunction with services contracted
for with Varonis Systems, Inc. and shall not be used to the detriment of
Varonis Systems, Inc. in any manner. User agrees not to copy, reproduce,
sell, license, or transfer this information without prior written consent of
Varonis Systems, Inc.
Other brands and products are trademarks of their respective holders.
Proprietary and Confidential of Varonis iii
Contents
1. Introduction.............................................................................................................1
Terminology............................................................................................................................. 1
Related Documentation........................................................................................................... 3
2. Basic Concepts...................................................................................................... 5
Request Types........................................................................................................................ 5
About Data Access Requests...................................................................................... 5
About Group Membership Requests............................................................................ 6
About Authorization................................................................................................................. 7
About DataPrivilege Roles...................................................................................................... 7
3. Getting Started.......................................................................................................9
Logging In................................................................................................................................9
Graphical User Interface......................................................................................................... 9
DataPrivilege Icons............................................................................................................... 10
Logging Out........................................................................................................................... 11
4. Requests - User and Floor Support Activities..................................................... 13
Creating Requests.................................................................................................................13
Creating Permission Requests................................................................................... 13
Creating Membership Requests................................................................................. 15
Viewing and Editing Request Details....................................................................................18
Viewing Request Summaries................................................................................................ 19
5. Searching............................................................................................................. 21
Searching for Users.............................................................................................................. 21
Searching for Groups............................................................................................................ 23
Searching for Directories.......................................................................................................25
Searching for Requests.........................................................................................................26
Searching for File Servers.................................................................................................... 27
Advanced Searching............................................................................................................. 29
Contents
iv Proprietary and Confidential of Varonis
6. Customizing the Menu Pages............................................................................. 31
Adding Questions and Answers to the FAQ.........................................................................32
Proprietary and Confidential of Varonis 1
1. Introduction
Varonis DataPrivilege provides automated, audited and managed
authorization flows that interface with any system-related IT operation in the
organization.
This Quick Start Guide provides instructions for regular users in using
DataPrivilege to make access requests. For a complete description of
DataPrivilege, its user interface and activities to be performed by other roles,
see DataPrivilege User Guide.
Terminology
Term Definition
ACL Access control list. A list of permissions attached to
an object. The list specifies who or what is allowed to
access the object and what operations are allowed
to be performed on the object. In a typical ACL, each
entry in the list specifies a subject and an operation:
for example, the entry (Alice, delete) on the ACL for file
XYZ gives Alice permission to delete file XYZ.
Authorization rule A rule that enforces an additional level of authorization,
provided that the user for whom the request is made
meets certain criteria defined by the rule.
Authorizer An authorizer is a user that can approve or decline
requests. Authorizers can be data or group owners, as
well as users specifically designated by the owners.
Only the highest level authorizer can commit the
request.
Authorizer 0 When the Authorizer 0 option is enabled and the user
for whom the request was made has a manager defined
in the Active Directory, the request must be authorized
by the user's manager before it is sent to the relevant
owner or authorizer (see management authorization).
Automatic rule A rule or a set of rules that enables automatic approval
of data access requests and group membership
requests, provided that the user for whom the request is
made meets certain criteria defined by the rule.
Ethical Wall A zone of non-communication between distinct
departments of a business or organization to prevent
conflicts of interest that might result in the inappropriate
release of sensitive information.
Base folder The root managed folder. A storage folder that is
managed by one or more data owners. Can only
DataPrivilege 5.8 Users Quick Start Guide
2 Proprietary and Confidential of Varonis
Term Definition
be defined by administrators. Contains managed
directories.
Base OU Base organization unit. The OU in which all of a
domain's entities are created. See OU below.
Bypass group
authorization
Bypass the process of group authorization when
permission is assigned to the group. This is an important
option in several cases:
Several groups are used to manage a folder, and
one of the groups does not have an owner. Unless
the bypass option is set, users cannot request
permissions of the type this group represents.
If a group without an owner is the only group
used to manage a folder, the folder is effectively
not managed. Again, the bypass option enables
managing the folder.
Location A hierarchical tree representing a logical grouping of
folders. Such grouping may be geographical (such
as US or EU), divisional (such as ENG or ACC), or
according any other criteria.
Managed directory A storage directory, to which users can request access.
Managed directories meet the following conditions:
An owner is defined for it
At least one authorizer is defined for it
At least one monitored access control list (ACL)
is defined for it (the ACL's group must also be
monitored)
Managed group A defined group of users for which it is possible to
request membership, with the following conditions:
An owner is defined for it; or
A DataPrivilege administrator may set managed
groups to bypass group authorization if preferred. In
this case, the group must be defined for a managed
directory that has an owner.
Management
authorization
When the management authorization option is enabled
and the user for whom the request was made has a
manager defined in the Active Directory, the request
must be authorized by the user's manager before it is
sent to the relevant owner or authorizer (see Authorizer
0).
OU Organizational unit. Organizational units are Active
Directory containers which can include users, groups,
computers, and other organizational units. They are
often defined such that they mirror an organization's
functional or business structure.
Roles Several roles are predefined in DataPrivilege:
Administrators
Introduction
Proprietary and Confidential of Varonis 3
Term Definition
Data Owners
Data Authorizers
Group Owners
Group Authorizers
Floor Support
Users
Webmasters
Share A shared drive on the file system. Contains
DataPrivilege base folders.
Traverse permissions If a group has permissions to a subdirectory but not its
parent directories, traverse permissions enable group
members to drill down through the file system to access
the directory. For base folders, traverse permissions can
be set up to the level of the share.
Trusting Domain A domain that allows access to users on another
domain.
Trusted Domain The domain that is trusted; that is, whose users have
access to the trusting domain.
Related Documentation
IDU Release Notes
IDU Suite Reports
DatAdvantage User Guide
DataPrivilege Bulk Upload Utility User Guide
Proprietary and Confidential of Varonis 5
2. Basic Concepts
DataPrivilege provides automated, audited and managed authorization
flows that interface with any system-related IT operation in the organization.
DataPrivilege enables users to request operations (such as granting access
privileges) directly from business authorizers, and designate individuals to
make requests on behalf of other users.
Above all, DataPrivilege provides a framework for IT processes by defining
authorization scenarios that delegate IT authorization from the IT department
to the business unit, thereby establishing the business unit's accountability
for its managed resources.
Request Types
DataPrivilege enables creation and authorization of the following types of
requests:
Data access (that is, permission requests)
Group membership
Direct permission requests
About Data Access Requests
In the ordinary course of work, users often need access to a specific file or
directory for which they do not have permission. When this happens, users
create explicit permission requests.
Since such permissions are best managed through group membership
(instead of granting individuals permission to a directory), a user's
permission request results in the automatic creation of a membership
request, in which the user is granted (or denied) membership to the relevant
group. If the user is granted membership to the group, the user may access
all the data to which the group has permission.
Users may also request membership in specific groups. See About Group
Membership Requests.
Data Access Request Flow
The following figure illustrates the flow of data access requests:

DataPrivilege 5.8 Users Quick Start Guide
6 Proprietary and Confidential of Varonis

About Group Membership Requests
Membership requests may be created by any role. They are handled by both
group owners and group authorizers. If a group owner creates a membership
request through the Group Management screens, it is automatically
approved.
Group Membership Request Flow
The following figure illustrates the flow of group membership requests:


Basic Concepts
Proprietary and Confidential of Varonis 7
About Authorization
DataPrivilege enables owners to establish key authorization roles to ensure
accountability for the information they are responsible for.
Evaluation and Approval or Denial of Requests
DataPrivilege enables authorizers to approve or deny requests. With
DataPrivilege, authorizers can receive, review and set authorizations for user
requests.
Authorization Review and Supervision
DataPrivilege enables designated authorizers and third-party reviewers from
across the organization to grant or deny requests. Such authorization review
further enhances the organization's accountability and transparency.
Note: If the management authorization (Authorizer 0) option is enabled
and the user for whom the request was made has a manager defined in
the Active Directory, the request must be authorized by the user's manager
before it is sent to the relevant owner.
About DataPrivilege Roles
Several roles are defined in DataPrivilege.
Administrators
Administrators are IT specialists. They are responsible for defining and
managing the definitions of the following:
Other administrators
Locations
Base folders
Assigning data owners to base folders
Assigning group owners to groups
Scheduling and configuring entitlement reviews
Defining Floor Support personnel
Defining permission types
Generating synchronization reports
Defining application settings
Configuring DataPrivilege
Data Owners
Data owners are managers who are responsible for managed directories.
This includes the following activities:
Adding managed directories.
Adding automatic rules to directories.
DataPrivilege 5.8 Users Quick Start Guide
8 Proprietary and Confidential of Varonis
Adding authorization rules to directories.
Adding authorizers to managed directories.
Granting permissions to managed directories.
Performing entitlement reviews.
Approving or denying user requests for access to data. Such requests
actually entail adding users to the relevant groups.
Synchronizing the actual database with the managed DataPrivilege
environment.
Group Owners
Group owners are managers who are responsible for managed groups. This
includes the following activities:
Adding managed groups.
Adding users to groups.
Removing users from groups.
Adding automatic rules to groups.
Adding authorization rules to groups.
Adding authorizers to managed groups.
Performing entitlement reviews.
Approving or denying requests for group membership
Synchronizing managed groups with Active Directory.
Authorizers
Authorizers are responsible for approving or declining requests assigned to
them by the various types of owners. In addition, authorizers who possess
certain owner privileges can perform the following tasks:
Grant users permissions to managed directories
Add users to groups
Sign entitlement reviews
When data authorizers approve or decline requests, only those groups to
which a user can be assigned are displayed.
Authorization Levels
With DataPrivilege, multiple levels of authorization can be defined to ensure
data and group membership is protected. An authorizer can be assigned to
any authorization level, even if the preceding levels have not been defined.
Floor Support
Floor Support personnel can view all requests whose status is Pending.
Users
Regular users use DataPrivilege to:
Request access to data and track their requests
Request membership to groups and manage their memberships
Proprietary and Confidential of Varonis 9
3. Getting Started
Logging In
To log in to DataPrivilege:
1. Start Internet Explorer.
2. In the Address bar, enter the required URL. Alternatively, click the
DataPrivilege link on the enterprise portal.
The main DataPrivilege screen is displayed.
Graphical User Interface
The DataPrivilege user interface is comprised of several elements:
Menu buttons at the top of the screen. The content pages of the menu
buttons can be customized as necessary.
Left menu bar, which provides users access to the various panes of the
workspace. The left menu bar includes the following menus:
Summary - Available to all types of users
Pending Requests - Available to all types of users
Permission Requests - Available to all types of users
Membership Requests - Available to all types of users
Search - Available to all types of users
Reports - Available to all types of users (only owners and
administrators can generate synchronization reports)
Main workspace, in which the various panes are displayed.


DataPrivilege 5.8 Users Quick Start Guide
10 Proprietary and Confidential of Varonis
DataPrivilege Icons
The following icons are used in the DataPrivilege graphical user interface:
Icon Description
The entity was added to DataPrivilege.
The entity was added to DataPrivilege by an automatic rule.
References existing shares.
The entity has been changed and requires synchronization.
An error has occurred in the synchronization between
DataPrivilege and DatAdvantage.
DataPrivilege-DatAdvantage synchronization is pending.
The entity is recommended for removal by DatAdvantage.
The user's permissions have been edited.
The user has multiple inheritance, consisting of a group that was
added from outside DataPrivilege and another group that has
been recommended for removal.
An error has occurred.
File without access.
Directory is not managed.
Non-managed protected directory.
Non-managed unique directory.
Directory without access.
Protected directory.
Unique directory without access.
Managed group.
Non-managed group
Getting Started
Proprietary and Confidential of Varonis 11
Icon Description
Enabled user.
Disabled user.
An error occurred during synchronization.
Request automatically approved.
Request cancelled.
Ethical wall.
Request is being executed.
Request to grant permission.
Request to revoke permission.
The request's status is Approved.
The request's status is Declined.
The request's status is Error or Expired.
The request is pending.
Information.
Operation cancelled.
Managed distribution group.
Unmanaged distribution group.
Undetected folder.
Logging Out
There is no need to log out of DataPrivilege. Simply close the Internet
browser.
Proprietary and Confidential of Varonis 13
4. Requests - User and Floor
Support Activities
Regular users use DataPrivilege to:
Request access to data and track their requests
Request membership to groups and manage their memberships
Floor Support personnel can view all requests whose status is Pending.
Creating Requests
DataPrivilege enables creating the following types of requests:
Permission requests - For access to data
Membership requests - For membership in groups
Creating Permission Requests
A permission request is created when users want access to data.
Note: If the management authorization (Authorizer 0) option is enabled
and the user for whom the request was made has a manager defined in
the Active Directory, the request must be authorized by the user's manager
before it is sent to the relevant owner.
To create a permission request:
1. From the left menu bar, select Permission Request.
The Permission Request pane is displayed in the main workspace.

DataPrivilege 5.8 Users Quick Start Guide
14 Proprietary and Confidential of Varonis

2. In the Users area, make sure the request is being made for the correct
users. If it is not, click the Change Users button to select the required
users.The selected users are displayed in the Users area.
3. To locate the folders for which the request is being made:
a. In the Folders area, click the Browse button to select the folder for
which permission is being requested (you may select more than one).
The Select Folders dialog box is displayed.
b. Search for the required folder or type its name in the Folders field.


c. Click Add.
The directories are added and displayed in the Operations area.
4. To define the required permissions for the directories:
a. In the Operations area, select the operation required for each directory
from the Available Operations drop-down list.
Note: When only one user is selected, effective permissions are
calculated and only relevant options are displayed in the Available
Requests - User and Floor Support Activities
Proprietary and Confidential of Varonis 15
Operations drop-down list. However, if multiple users are selected all
operations are displayed.
b. For each directory, select the required permissions from the
Permissions drop-down list.
c. To remove a directory from the request, select its checkbox and click
Remove.


5. In the Explanation area, type a free-text reason for the request.
6. To define an expiration date for the request (skip to the next step if you
do not want to define an expiration date):
a. If the Advanced pane is collapsed, click Advanced.
Note: The Expand or collapse Advanced pane in requests key
setting enables configuring this pane to be expanded when it is first
presented to the user.
The Expiration area is displayed.
b. Set the date on which the permission is to expire. Options are:
Never
On - Click the calendar icon to select an expiration date
After - In the text box, select the number of days after which the
permission is to expire.
7. Click Finish.
The request is created and one of the following occurs:
If a request was made for a single user a summary is displayed.
If a request was made for multiple users, a list of users included in the
request is displayed. When a name is clicked, a summary for that user
is displayed.
Creating Membership Requests
A membership request is created for users and groups that require
membership in a group.
Note: If the management authorization (Authorizer 0) option is enabled
and the user for whom the request was made has a manager defined in
the Active Directory, the request must be authorized by the user's manager
before it is sent to the relevant owner.
To create a membership request:
1. From the left menu bar, select Membership Request.
2. The Membership Request pane is displayed in the main workspace.

DataPrivilege 5.8 Users Quick Start Guide
16 Proprietary and Confidential of Varonis

3. In the Users field, make sure the request is being made for the correct
users and groups. If it is not, click the Change Users/Groups button to
select the required users and groups.
The selected users are displayed in the Users area. When one or more
of the users has a manager defined in the Active Directory, the relevant
users' managers are displayed.

Requests - User and Floor Support Activities
Proprietary and Confidential of Varonis 17

4. To locate the groups for which the request is being made:
a. In the Groups area, click the Browse button to select the groups for
which permission is being requested (you may select more than one).
The Select Groups dialog box is displayed.
b. Search for the required group.


c. Click Add.
The groups are added and displayed in the Operations area.
5. To define the required permissions for the groups:
a. In the Operations area, select the operation required for each group
from the Available Operations drop-down list.
Note: When only one user is selected, effective permissions are
calculated and only relevant options are displayed in the Available
Operations drop-down list. However, if multiple users are selected all
operations are displayed.
DataPrivilege 5.8 Users Quick Start Guide
18 Proprietary and Confidential of Varonis
b. To remove a group from the request, select its checkbox and click
Remove.


6. In the Explanation area, type a free-text reason for the request.
7. To define an expiration date for the request (skip to the next step if you
do not want to define an expiration date):
a. If the Advanced pane is collapsed, click Advanced.
Note: A key setting enables configuring this pane to be expanded
when it is first presented to the user.
The Expiration area is displayed.
b. Set the date on which the permission is to expire. Options are:
Never
On - Click the calendar icon to select an expiration date
After - In the text box, select the number of days after which the
permission is to expire.
8. Click Finish.
The request is created and one of the following occurs:
If a request was made for a single user a summary is displayed.
If a request was made for multiple users, a list of users included in the
request is displayed. When a name is clicked, a summary for that user
is displayed.
Viewing and Editing Request Details
To view and edit the details of a submitted access request:
1. Search for the relevant request.
The requests matching your search criteria are displayed in the Access
Requests or Access Authorizations pane, as relevant.


Requests - User and Floor Support Activities
Proprietary and Confidential of Varonis 19
2. Click the information icon for the relevant request.
The Request Details window is displayed.


3. Edit the available fields as necessary.
4. Click OK.
Viewing Request Summaries
To view your request summaries:
1. From the left menu bar, select Summary.
The summary of the requests you have made in the past ten days
is displayed in the main workspace. It is comprised of the following
sections:
My Requests - The requests you created for yourself, or that were
created on your behalf
Requests waiting for my approval - The requests you are responsible
for approving
Waiting for my review - The entitlement reviews you are responsible
for handling
2. To send an email to the user who made the request, or the user for whom
the request was made, click the user's name in the relevant column
(Requested By or Requested For).
3. Click the information icon for the relevant request.
The request's details are displayed.
DataPrivilege 5.8 Users Quick Start Guide
20 Proprietary and Confidential of Varonis


4. If the request is still pending, you may edit its expiration date. In the
Expiration Date area, set the relevant date. Options are:
Never
On - Click the calendar icon to select an expiration date
After - In the text box, select the number of days after which the
permission is to expire.
Proprietary and Confidential of Varonis 21
5. Searching
The following subsections provide instructions for searching for users,
permission requests and authorizations, and directories.
Searching for Users
To search for users:
1. While carrying out the relevant activity, click Add.
The User Search dialog box is displayed.


2. In the User Search pane, click the Browse button.
The next User Search dialog box is displayed.

DataPrivilege 5.8 Users Quick Start Guide
22 Proprietary and Confidential of Varonis

3. From the Select Domain drop-down list, select the domain in which to
perform the search.
4. From the first drop-down list, select the first search filter.
Note: The options appearing in this filter can be configured by Varonis
System Engineers.
5. From the second drop-down list, select the second search filter. Options
are:
Begins with
Ends with
Contains
That is
6. In the blank field, type the value specified by the first two search filters.
If you set the first two filters to User Name and Begins With, type the first
few letters of the user you are searching for.
7. Click Search.
A list of users matching the search criteria is returned.

Searching
Proprietary and Confidential of Varonis 23

8. Select the checkbox of the user to be added in the activity you are
currently performing.
9. Click OK.
The user is added.
Searching for Groups
To search for groups:
1. While carrying out the relevant activity, click Add.
The Group Search dialog box is displayed.

DataPrivilege 5.8 Users Quick Start Guide
24 Proprietary and Confidential of Varonis

2. Click the Browse button.
The next Group Search dialog box is displayed.


3. Do one of the following:
Select a domain in which to perform the search - Select the Domain
option and then select the required domain from the drop-down list.
Searching
Proprietary and Confidential of Varonis 25
Select a location in which to perform the search - Select the Location
option and then select the required logical location from the drop-down
list.
4. Select the Show Unmanaged Groups option to display these groups in
the list.
5. From the drop-down list, select the required search operator. Options are:
Begins with
Ends with
Contains
That is
6. In the blank field, type the required value to find the relevant group.
If you set the filter to Begins With, type the first few letters of the group
you are searching for.
7. Click Search.
A list of groups matching the search criteria is returned.
8. Select the checkbox of the group to be added in the activity you are
currently performing.
9. Click OK.
The group is added.
Searching for Directories
To search for directories:
1. In the Search pane for the relevant activity, click the browse button next
to the For Folder or By Folder field.
The Select Folder dialog box is displayed.

DataPrivilege 5.8 Users Quick Start Guide
26 Proprietary and Confidential of Varonis

2. Expand the directory tree to locate the required managed folder.
Note: The tree displays only managed folders.
3. Select the folder's checkbox.
4. Click OK.
The name of the selected directory is inserted into the Folder field.
Searching for Requests
To search for requests:
1. From the left menu bar, select Search.
The Search submenu is expanded.
2. From the submenu, select the search type for the report to be generated.
Options are:
Search - To perform predefined searches.
Adv. Search - To perform an advanced search for requests by more
specific criteria.
The relevant search panes are displayed in the main workspace.

Searching
Proprietary and Confidential of Varonis 27

3. Set the required search criteria:
Search - Set the following options:
Request Type - From the drop-down list, select the type of request
for which you are searching. Options are:
All
Membership Requests
Permission Requests
Select the request's frequency. Options are:
Weekly
Monthly
Expired
Advanced search - For instructions, see Advanced Searching.
4. Click Search.
The requests that meet the specified criteria are displayed in the
Standard Search pane.


5. To view the details of a specific request in the report, click the information
icon for the request.
The Request Details dialog box is displayed.
6. To export the report to a Microsoft

Excel spreadsheet, click Export.


7. To print the report, click Print.
Searching for File Servers
To search for file servers:
1. While carrying out the relevant activity, click Add.
The File Server Search dialog box is displayed.

DataPrivilege 5.8 Users Quick Start Guide
28 Proprietary and Confidential of Varonis

2. From the Select Domain drop-down list, select the domain in which to
search for the relevant file server.
3. From the first drop-down list, select the first search filter. Options are:
Begins with
Ends with
Contains
That is
4. In the blank field, type the value specified by the first search filter.
If you set the first filter to "Begins With", type the first few letters of the file
server you are searching for.
5. Click Search.
A list of file servers matching the search criteria is returned.

Searching
Proprietary and Confidential of Varonis 29

6. Expand the Folder Name tree to locate the relevant file server.
7. Click OK.
The file server is added.
Advanced Searching
DataPrivilege's advanced search capabilities enable you to specify a wide
range of search criteria. The available criteria change depending on the type
of search you want to perform.
To set advanced search criteria:
1. From the left menu bar, select Search.
The Search submenu is expanded.
2. From the submenu, select Adv. Search.
The Search Filter pane is displayed in the main workspace.


DataPrivilege 5.8 Users Quick Start Guide
30 Proprietary and Confidential of Varonis
3. In the Search Filter pane, set one or more of the following criteria for the
request for which you are searching:
Requests by - Click the relevant browse button and search for the
user or group who made the request. The relevant entity is displayed
in the Request By field.
Requests for - Click the relevant browse button and search for the
user or group who made the request. The relevant entity is displayed
in the Request For field.
Request Type - From the drop-down list, select the type of request for
which you are searching. Options are:
Permission
Direct Permission
Membership
Request Operation Type - From the drop-down list, select the type of
operation for which you are searching. Options are:
All
Grant Access
Revoke Access
Status - Select one or more request statuses by which to search.
Request ID - Type the unique ID of the relevant request.
Start Date - Click the calendar to select the date on which the
permission related to the request is to start.
End Date - Click the calendar to select the date on which the
permission related to the request is to expire.
4. Click Search.
All requests that match the defined search criteria are displayed in the
Advanced Search pane.
Proprietary and Confidential of Varonis 31
6. Customizing the Menu Pages
DataPrivilege provides several menu buttons, the content pages of which
can be customized as necessary by DataPrivilege administrators. These
buttons, located at the top of the screen, include:
Home
FAQ
Help
Contact Us
About Us - This button provides information about Varonis Inc. and
cannot be customized
To customize the content pages of the Home, Help and Contact Us buttons:
1. Click the relevant menu button at the top of the screen.


2. In the main workspace, click the Switch to Edit Mode link.
A robust text editor opens in the workspace.


DataPrivilege 5.8 Users Quick Start Guide
32 Proprietary and Confidential of Varonis
3. Add or update the content page of the button as relevant.
4. Click Update.
Adding Questions and Answers to the FAQ
To add a question or answer to the FAQ:
1. Click the FAQ menu button at the top of the screen.


2. In the main workspace, click the Add button.
The FAQ Details dialog box is displayed.


3. Type the relevant text in the Question and Answer fields.
4. In the Sort Order field, type the number in which the question is to
appear.
5. Click OK.
The question and its answer are added to the FAQ page.