Data Access Review for the file share does not show the accounts which have access to file share via the group in RSA Identity Governance and Lifecycle
Originally Published: 2016-06-27
Article Number
Applies To
Issue
The file share below shows access to six groups and one account:
One of the groups has account as its member:
The screen shot below shows Data Access Review and its contents:
This screen shot shows the group DLG_FS_NAS_WholeNAS_Modify whose members are not included in review result:
Resolution
Groups are of two types:
- Managed. Groups that have access to just one data resource. Such groups have the column MANAGEDRES_TYPE set to a value of D in internal table T_GROUPS.
- Non Managed. Groups that have no access to none or more than one data resource.
When the option For each member, review the data resource granted from a data resource group is selected on review definition, the following happens:
- If a group is managed, the relation of group to data resource will not be reviewed. Instead, the access of accounts in the group to the data resource will be reviewed.
- If a group is non managed, the relation of group to data resources will be reviewed. The access derived by accounts in that group to the group’s data resources will not be reviewed.
- So, from number 2 above, it can be said that for a given group, either a group is reviewed (non managed) or accounts in the group (managed) are reviewed but not both at a time.
That is the expected behavior today.
