• State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 95 subscribers
  • Views 4559 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Governance Attestation - No Default Process to Remove User or Group

Enayathulla Sadhakathulla
over 7 years ago

Hi All,

Is there any default Process in Q1IM to handle the Attestation of Data Governance. I want to remove the User or Group from the Governed Data ( Shared Folder ) when the Attestation is denied. I am trying below default Attestation case.

Data Governance: Groups with direct access attestation
Data Governance: Accounts with direct access attestation

There is no Job triggered after it is Denied.

All the options are set under : "QER\Attestation\AutoRemovalScope" & "QER\CalculateRiskIndex"

The process: "VI_Attestation_AttestationCase_AutoRemoveMemberships" do not have any generating condition for Data Governance.

Do we need to create the custom process for it ? if yes , How can i call the DEG Agent to Remove the user or group from shared folder?  

 

Kindly help me on this.

 

  • 0 over 7 years ago
    For those accounts with direct (non group) access to shared folders sounds like (can't double check right now) you'll need to trap the deny event on the attestation case and launch a custom process chain to call powershell to remove the access. Check what dge cmdlets are available.
  • 0 over 7 years ago
    The cmdlet to be called in a process chain that is triggered by an EX step in the custpm approval workflow is Set-QResourceSecurity. A description can be found in D1IM_QAM_TechnicalInsightGuide.chm
  • 0 over 7 years ago

    Hi Matthias,

    I have created the simple PowerShell script. it is working fine. I am planning to create a process in Attestation Table to call this PowerShell to remove the access.

    I can see only Share Permissions in the Attestation, not the Folder Permissions. Is this normal ? can we handle the Folder Permissions attestation also ?

    I do not find the SDDL & Attestation case for the permissions:  AllowChangePermissions & AllowExecute .

    param([string]$ResourceUri,[string]$Type,[string]$domain,[string]$removeAccess,[string]$UserSID)

    #$ResourceUri="\\STSSQL\HR Files"

    #$Type="Shares"

    #$domain="rojatech.com"

    #$removeAccess="AllowWrite"

    #$UserSID="S-1-5-21-921104188-1249672828-1004744077-2656"

    Import-Module "C:\Program Files\Dell\One Identity Manager\Quest.Titan.Client.PowerShell.dll"

    Set-QServiceConnection -Deployment DEFAULT

    $CurrentSDDL = Get-QResourceSecurity -ResourceUri $ResourceUri -ResType $Type -DomainDNSName $domain -NoGroup

    $removeSDDL=""

    $HostDownLevelName=$ResourceUri.Split("\")

    $HostDownLevelName=$HostDownLevelName[2]

    $Permission="A"

    if ($removeAccess -like 'Deny*') #Check if this is Allow or Deny request

    {

    $Permission="D"

    } 

    if ($removeAccess -like '*Read') # if Read Allowed/Denied, Check both Read , ReadWrite option. (If Read not allowed/denied Write Also needs to be removed )

    {

    $removeSDDL="("+$Permission + ";;0x1200a9;;;" + $UserSID +")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

    $removeSDDL="("+$Permission + ";;0x1301bf;;;" + $UserSID +")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

     }

    elseif ($removeAccess -like '*Write')

    {

    $removeSDDL="("+$Permission + ";;0x1301bf;;;" + $UserSID +")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

     }

    elseif ($removeAccess -like '*AllowFullControl')

    {

    $removeSDDL="("+ $Permission +";;FA;;;"+$UserSID+")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

    }

    elseif ($removeAccess -like '*AllowChangePermissions')

    {

     }

    elseif ($removeAccess -like '*AllowExecute')

    {

     }

    Set-QResourceSecurity -SDDL $NewSDDL -ResourceUri $ResourceUri -ResType $Type -DomainDNSName $domain -HostDownLevelName $HostDownLevelName