• State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 95 subscribers
  • Views 4558 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Governance Attestation - No Default Process to Remove User or Group

Enayathulla Sadhakathulla
over 7 years ago

Hi All,

Is there any default Process in Q1IM to handle the Attestation of Data Governance. I want to remove the User or Group from the Governed Data ( Shared Folder ) when the Attestation is denied. I am trying below default Attestation case.

Data Governance: Groups with direct access attestation
Data Governance: Accounts with direct access attestation

There is no Job triggered after it is Denied.

All the options are set under : "QER\Attestation\AutoRemovalScope" & "QER\CalculateRiskIndex"

The process: "VI_Attestation_AttestationCase_AutoRemoveMemberships" do not have any generating condition for Data Governance.

Do we need to create the custom process for it ? if yes , How can i call the DEG Agent to Remove the user or group from shared folder?  

 

Kindly help me on this.

 

Parents
  • 0 over 7 years ago

    Hi Matthias,

    I have created the simple PowerShell script. it is working fine. I am planning to create a process in Attestation Table to call this PowerShell to remove the access.

    I can see only Share Permissions in the Attestation, not the Folder Permissions. Is this normal ? can we handle the Folder Permissions attestation also ?

    I do not find the SDDL & Attestation case for the permissions:  AllowChangePermissions & AllowExecute .

    param([string]$ResourceUri,[string]$Type,[string]$domain,[string]$removeAccess,[string]$UserSID)

    #$ResourceUri="\\STSSQL\HR Files"

    #$Type="Shares"

    #$domain="rojatech.com"

    #$removeAccess="AllowWrite"

    #$UserSID="S-1-5-21-921104188-1249672828-1004744077-2656"

    Import-Module "C:\Program Files\Dell\One Identity Manager\Quest.Titan.Client.PowerShell.dll"

    Set-QServiceConnection -Deployment DEFAULT

    $CurrentSDDL = Get-QResourceSecurity -ResourceUri $ResourceUri -ResType $Type -DomainDNSName $domain -NoGroup

    $removeSDDL=""

    $HostDownLevelName=$ResourceUri.Split("\")

    $HostDownLevelName=$HostDownLevelName[2]

    $Permission="A"

    if ($removeAccess -like 'Deny*') #Check if this is Allow or Deny request

    {

    $Permission="D"

    } 

    if ($removeAccess -like '*Read') # if Read Allowed/Denied, Check both Read , ReadWrite option. (If Read not allowed/denied Write Also needs to be removed )

    {

    $removeSDDL="("+$Permission + ";;0x1200a9;;;" + $UserSID +")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

    $removeSDDL="("+$Permission + ";;0x1301bf;;;" + $UserSID +")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

     }

    elseif ($removeAccess -like '*Write')

    {

    $removeSDDL="("+$Permission + ";;0x1301bf;;;" + $UserSID +")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

     }

    elseif ($removeAccess -like '*AllowFullControl')

    {

    $removeSDDL="("+ $Permission +";;FA;;;"+$UserSID+")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

    }

    elseif ($removeAccess -like '*AllowChangePermissions')

    {

     }

    elseif ($removeAccess -like '*AllowExecute')

    {

     }

    Set-QResourceSecurity -SDDL $NewSDDL -ResourceUri $ResourceUri -ResType $Type -DomainDNSName $domain -HostDownLevelName $HostDownLevelName

     

     

Reply
  • 0 over 7 years ago

    Hi Matthias,

    I have created the simple PowerShell script. it is working fine. I am planning to create a process in Attestation Table to call this PowerShell to remove the access.

    I can see only Share Permissions in the Attestation, not the Folder Permissions. Is this normal ? can we handle the Folder Permissions attestation also ?

    I do not find the SDDL & Attestation case for the permissions:  AllowChangePermissions & AllowExecute .

    param([string]$ResourceUri,[string]$Type,[string]$domain,[string]$removeAccess,[string]$UserSID)

    #$ResourceUri="\\STSSQL\HR Files"

    #$Type="Shares"

    #$domain="rojatech.com"

    #$removeAccess="AllowWrite"

    #$UserSID="S-1-5-21-921104188-1249672828-1004744077-2656"

    Import-Module "C:\Program Files\Dell\One Identity Manager\Quest.Titan.Client.PowerShell.dll"

    Set-QServiceConnection -Deployment DEFAULT

    $CurrentSDDL = Get-QResourceSecurity -ResourceUri $ResourceUri -ResType $Type -DomainDNSName $domain -NoGroup

    $removeSDDL=""

    $HostDownLevelName=$ResourceUri.Split("\")

    $HostDownLevelName=$HostDownLevelName[2]

    $Permission="A"

    if ($removeAccess -like 'Deny*') #Check if this is Allow or Deny request

    {

    $Permission="D"

    } 

    if ($removeAccess -like '*Read') # if Read Allowed/Denied, Check both Read , ReadWrite option. (If Read not allowed/denied Write Also needs to be removed )

    {

    $removeSDDL="("+$Permission + ";;0x1200a9;;;" + $UserSID +")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

    $removeSDDL="("+$Permission + ";;0x1301bf;;;" + $UserSID +")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

     }

    elseif ($removeAccess -like '*Write')

    {

    $removeSDDL="("+$Permission + ";;0x1301bf;;;" + $UserSID +")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

     }

    elseif ($removeAccess -like '*AllowFullControl')

    {

    $removeSDDL="("+ $Permission +";;FA;;;"+$UserSID+")"

    $NewSDDL = $CurrentSDDL.Replace($removeSDDL,"")

    }

    elseif ($removeAccess -like '*AllowChangePermissions')

    {

     }

    elseif ($removeAccess -like '*AllowExecute')

    {

     }

    Set-QResourceSecurity -SDDL $NewSDDL -ResourceUri $ResourceUri -ResType $Type -DomainDNSName $domain -HostDownLevelName $HostDownLevelName

     

     

Children
No Data