You are on page 1of 242

DataPrivilege 5.

9
User Guide

Publishing Information
Software version
Document version
Publication date

5.9.70
13
May 31, 2013; updated July 23, 2014

Copyright 2005 - 2014 Varonis Systems Inc.


All rights reserved.
This information shall only be used in conjunction with services contracted
for with Varonis Systems, Inc. and shall not be used to the detriment of
Varonis Systems, Inc. in any manner. User agrees not to copy, reproduce,
sell, license, or transfer this information without prior written consent of
Varonis Systems, Inc.
Other brands and products are trademarks of their respective holders.

Contents
1. Introduction.............................................................................................................1
Scope of This Guide............................................................................................................... 1
Terminology............................................................................................................................. 1
Related Documentation........................................................................................................... 4

2. Basic Concepts...................................................................................................... 5
Request Types........................................................................................................................ 5
About Data Access Requests...................................................................................... 5
About Group Membership Requests............................................................................6
About Direct Permission Requests.............................................................................. 7
About Authorization................................................................................................................. 7
About Entitlement Reviews..................................................................................................... 7
About DataPrivilege Roles...................................................................................................... 8
Multi-Domain Support..............................................................................................................9
Synchronization with Varonis DatAdvantage........................................................................ 10
About Automatic Rules..........................................................................................................11
Automatic Rules for Folders.......................................................................................11
Enforced Automatic Rules for Folders....................................................................... 15
Automatic Rules for Groups....................................................................................... 19
Enforced Automatic Rules for Groups....................................................................... 22
About Ethical Walls............................................................................................................... 24
DataPrivilege and Ethical Walls................................................................................. 24
Exceptions to Ethical Walls........................................................................................25
Ethical Walls Requiring Owner/Authorizer Approval.................................................. 25
Multi-Language Support........................................................................................................ 25

3. Getting Started.....................................................................................................27
Logging In..............................................................................................................................27
Graphical User Interface....................................................................................................... 27
Setting the Display Language...............................................................................................28
DataPrivilege Icons............................................................................................................... 29
Logging Out...........................................................................................................................31
Proprietary and Confidential of Varonis

iii

Contents

4. Data Ownership................................................................................................... 33
About Data Owners...............................................................................................................33
Working with Data Owner Views............................................................................... 33
Adding Managed Folders........................................................................................... 34
Creating New Subfolders........................................................................................... 38
Granting Users Permissions to Managed Folders..................................................... 41
Exporting Permissions on Managed Folders............................................................. 46
Adding Authorizers to Managed Folders....................................................................47
Adding Owners to Managed Folders......................................................................... 51
Adding Authorization Rules to Folders.......................................................................52
Adding Automatic Rules to Folders............................................................................54
Viewing Event Logs and History................................................................................ 57
Viewing Folder Statistics............................................................................................ 58
Synchronizing Managed Folders with the Database..................................................59
Using the Authorizer View..........................................................................................60
About Data Authorizers......................................................................................................... 63
Viewing Permissions on Managed Folders................................................................ 63
Removing Direct Permissions from Managed Folders...............................................64

5. Group Ownership.................................................................................................65
About Group Owners............................................................................................................ 65
Working with Group Owner Views............................................................................. 65
Using the Group Search Pane...................................................................................66
Adding Users to Groups.............................................................................................67
Adding Authorizers to Managed Groups....................................................................70
Adding Authorization Rules to Groups.......................................................................74
Adding Automatic Rules to Groups............................................................................76
Viewing Permissions on Managed Groups................................................................ 78
Viewing Event Logs and History................................................................................ 79
Viewing Group Statistics............................................................................................ 80
Synchronizing Managed Groups with Active Directory.............................................. 81
Using the Authorizer View..........................................................................................81
About Group Authorizers.......................................................................................................83
Viewing Permissions on Managed Groups................................................................ 83

6. Administration.......................................................................................................85
iv

Proprietary and Confidential of Varonis

Contents

Managing Groups..................................................................................................................85
Working with Group-Related Views........................................................................... 86
Using the Group Search Pane...................................................................................86
Adding Managed Groups and Owners at Once.........................................................87
Editing Managed Groups............................................................................................90
Resetting Managed Groups....................................................................................... 91
Managing Group Locations........................................................................................ 92
Adding Owners to Existing Groups............................................................................ 98
Adding Groups to Existing Owners............................................................................ 98
Viewing Group Details................................................................................................99
Setting Groups to Bypass the Authorization Process................................................ 99
Viewing Group Owner Details.................................................................................. 100
Removing Group Owners.........................................................................................101
Adding Authorizers to Groups.................................................................................. 101
Synchronizing Managed Groups with Active Directory............................................ 103
Managing Base Folders...................................................................................................... 103
Working with Data-Related Views............................................................................104
Adding Base Folder Locations................................................................................. 104
Adding Base Folders................................................................................................ 106
Adding Base Folders to Data Owners..................................................................... 110
Editing Base Folders................................................................................................ 110
Adding File Servers on the Fly................................................................................ 111
Moving Base Folders................................................................................................113
Removing Base Folders........................................................................................... 114
About Adding Data Owners..................................................................................... 114
Viewing Data Owner Details.................................................................................... 115
Removing Data Owners from Base Folders............................................................ 115
Managing Entitlement Reviews...........................................................................................116
Scheduling Entitlement Review Rules for Folder or Groups.................................... 116
Setting Exceptions to the Entitlement Request........................................................118
Cancelling Pending Entitlement Review Requests.................................................. 120

7. Advanced Administration................................................................................... 123


Managing Administrators and Floor Support...................................................................... 123
Adding Users and Groups to Roles......................................................................... 123
Editing User Roles................................................................................................... 125
Proprietary and Confidential of Varonis

Contents

Viewing User or Group Details................................................................................ 126


Removing Users and Groups from Roles................................................................ 126
Managing Permission Types...............................................................................................126
Editing Predefined Permission Types...................................................................... 127
Customizing Permission Types................................................................................ 128
Configuring Domains in the System................................................................................... 130
Adding Trusted Domains to the System Configuration............................................ 131
Editing Domain Details............................................................................................. 133
Monitoring Domains..................................................................................................134
Disabling Domains....................................................................................................135
Removing Domains from the Database................................................................... 135
Managing File Servers........................................................................................................ 135
Searching for File Servers....................................................................................... 135
Adding File Servers.................................................................................................. 136
Removing File Servers............................................................................................. 137
Defining Credentials for File Servers and Root Folders...........................................137
Migrating File Servers.............................................................................................. 139
Managing Excluded Groups................................................................................................140
Adding Groups to the Exclusion List........................................................................140
Removing Groups from the Exclusion List...............................................................141
Removing Definitions of Undetected Folders......................................................................141

8. Authorization...................................................................................................... 143
Approving or Declining Requests........................................................................................143
Approving or Declining Requests through the Pending Requests Menu..................143
Approving or Declining Requests through Email..................................................... 145
Viewing and Approving Authorization Summaries.............................................................. 145
Approving Multiple Requests.............................................................................................. 147
About Performing Entitlement Reviews.............................................................................. 148
Performing Entitlement Reviews on Folders............................................................ 148
Performing Entitlement Reviews on Groups............................................................ 153

9. Requests and Floor Support Activities.............................................................. 159


Creating Requests...............................................................................................................159
Creating Permission Requests.................................................................................159
Creating Membership Requests............................................................................... 161
vi

Proprietary and Confidential of Varonis

Contents

Viewing and Editing Request Details..................................................................................164


Viewing Request Summaries.............................................................................................. 165

10. Reports.............................................................................................................167
Generating Reports in DataPrivilege.................................................................................. 167
Filtering Report Results............................................................................................167
Grouping Report Results..........................................................................................168
Sorting Report Results............................................................................................. 169
Using Extended Attributes to Retrieve Report Results............................................ 170
Scheduling and Subscribing to Reports..............................................................................170
Scheduling and Subscribing to Regular Reports..................................................... 170
Scheduling and Subscribing to Data-Driven Reports...............................................174
Viewing Defined Subscriptions............................................................................................178
Saving and Loading Report Criteria................................................................................... 178

11. Searching......................................................................................................... 179


Searching for Users............................................................................................................ 179
Searching for Groups.......................................................................................................... 181
Searching for Folders..........................................................................................................183
Searching for Requests.......................................................................................................184
Searching for File Servers.................................................................................................. 185
Searching by Organizational Unit....................................................................................... 187
Advanced Searching........................................................................................................... 190

12. Customizing the Menu Pages..........................................................................193


Adding Questions and Answers to the FAQ.......................................................................194

13. Configuration.................................................................................................... 195


Configuring Active Directory Properties.............................................................................. 195
Defining Application Settings.............................................................................................. 198
Descriptions of Application Settings.........................................................................199
Customizing the Appearance of DataPrivilege................................................................... 214
Selecting UI Themes................................................................................................ 214
Deploying UI Themes...............................................................................................215
Previewing Customized Themes.............................................................................. 216
Cloning Themes....................................................................................................... 216
Proprietary and Confidential of Varonis

vii

Contents

Deleting Customized UI Themes............................................................................. 217


Customizing the User Interface................................................................................218
Customizing the Navigational Menus..................................................................................218
Customizing and Configuring DataPrivilege Mail................................................................219
Customizing Request Notifications..................................................................................... 221
Customizing Entitlement Review Notifications.................................................................... 222
Customizing Confirmation Notifications...............................................................................224
Customizing Notifications for Exported Permissions.......................................................... 224
Customizing Request Fields............................................................................................... 225

Appendix A. Customized Permission Masks................................................. 229


Appendix B. DataPrivilege Filters................................................................231

viii

Proprietary and Confidential of Varonis

1.

Introduction
Varonis DataPrivilege provides automated, audited and managed
authorization flows that interface with any system-related IT operation in the
organization.

Scope of This Guide


This user guide describes DataPrivilege, and its main features and functions.
It contains the following chapters:

Chapter 1, "Introduction" - Provides an overview of DataPrivilege, as well


as an overview of the document

Chapter 2, "Basic Concepts" - Describes the basic concepts underlying


DataPrivilege.

Chapter 3, "Getting Started" - Provides instructions for logging in to


DataPrivilege, and a complete description of its graphical user interface.

Chapter 4, "Data Ownership" - Provides instructions for performing


activities related to data ownership.

Chapter 5, "Group Ownership" - Provides instructions for performing


activities related to group ownership.

Chapter 6, "Administration" - Provides instructions to administrators for


working with DataPrivilege.

Chapter 7, "Advanced Administration" - Provides instructions to


administrators for working with DataPrivilege.

Chapter 8, "Authorization" - Provides instructions to authorizers for


working with DataPrivilege.

Chapter 9, "User and Floor Support Activities" - Provides instructions to


users and floor support personnel for working with DataPrivilege.

Chapter 10, "Reports" - Provides instructions for generating and working


with DataPrivilege reports.

Chapter 11, "Other Activities" - Provides instructions for carrying out


various types of searches and generating reports.

Chapter 12, "Configuration" - Provides instructions for configuring


DataPrivilege to work with Active Directory, and configuring general
application settings.

Appendix A, "Customized Permission Masks" - Provides a complete list


of all the masks available with which to customize permission types.

Appendix B, "DataPrivilege Filters" - Describes all the filters available for


use with DataPrivilege reports.

Terminology
Proprietary and Confidential of Varonis

DataPrivilege 5.9 User Guide

Term

Definition

ACL

Access control list. A list of permissions attached to


an object. The list specifies who or what is allowed to
access the object and what operations are allowed
to be performed on the object. In a typical ACL, each
entry in the list specifies a subject and an operation:
for example, the entry (Alice, delete) on the ACL for file
XYZ gives Alice permission to delete file XYZ.

Authorization rule

A rule that enforces an additional level of authorization,


provided that the user for whom the request is made
meets certain criteria defined by the rule.

Authorizer

An authorizer is a user that can approve or decline


requests. Authorizers can be data or group owners, as
well as users specifically designated by the owners.
Only the highest level authorizer can commit the
request.

Authorizer 0

When the Authorizer 0 option is enabled and the user


for whom the request was made has a manager defined
in the Active Directory, the request must be authorized
by the user's manager before it is sent to the relevant
owner or authorizer (see management authorization).

Automatic rule

A rule or a set of rules that enables automatic approval


of data access requests and group membership
requests, provided that the user for whom the request is
made meets certain criteria defined by the rule.

Ethical Wall

A zone of non-communication between distinct


departments of a business or organization to prevent
conflicts of interest that might result in the inappropriate
release of sensitive information.

Base folder

The root managed folder. A storage folder that is


managed by one or more data owners. Can only be
defined by administrators. Contains managed folders.

Base OU

Base organization unit. The OU in which all of a


domain's entities are created. See OU below.

Bypass group
authorization

This option enables folder owners to manage direct


user members of the group if the group has a unique
ACE on the folder. If the group has a unique ACE for
several folders, all relevant folder owners can manage
its members independently.For example:

Location

Proprietary and Confidential of Varonis

Several groups are used to manage a folder, and


one of the groups does not have an owner. Unless
the bypass option is set, users cannot request
permissions of the type this group represents.

If a group without an owner is the only group


used to manage a folder, the folder is effectively
not managed. Again, the bypass option enables
managing the folder.

A hierarchical tree representing a logical grouping of


folders. Such grouping may be geographical (such

Introduction

Term

Definition
as US or EU), divisional (such as ENG or ACC), or
according any other criteria.

Managed folder

Managed group

A storage folder, to which users can request access.


Managed folders meet the following conditions:

An owner is defined for it

At least one authorizer is defined for it

At least one monitored access control list (ACL)


is defined for it (the ACL's group must also be
monitored)

A defined group of users for which it is possible to


request membership, with the following conditions:

An owner is defined for it; or

A DataPrivilege administrator may set managed


groups to bypass group authorization if preferred. In
this case, the group must be defined for a managed
folder that has an owner.

Management
authorization

When the management authorization option is enabled


and the user for whom the request was made has a
manager defined in the Active Directory, the request
must be authorized by the user's manager before it is
sent to the relevant owner or authorizer (see Authorizer
0).

OU

Organizational unit. Organizational units are Active


Directory containers which can include users, groups,
computers, and other organizational units. They are
often defined such that they mirror an organization's
functional or business structure.

Roles

Several roles are predefined in DataPrivilege:

Administrators

Data Owners

Data Authorizers

Group Owners

Group Authorizers

Floor Support

Users

Webmasters

Share

A shared drive on the file system. Contains


DataPrivilege base folders.

Traverse permissions

If a group has permissions to a subfolder but not its


parent folders, traverse permissions enable group
members to drill down through the file system to access
the folder. For base folders, traverse permissions can be
set up to the level of the share.

Trusting Domain

A domain that allows access to users on another


domain.
Proprietary and Confidential of Varonis

DataPrivilege 5.9 User Guide

Term

Definition

Trusted Domain

The domain that is trusted; that is, whose users have


access to the trusting domain.

Related Documentation
IDU Release Notes
IDU Suite Reports
DatAdvantage User Guide
DataPrivilege Bulk Upload Utility User Guide

Proprietary and Confidential of Varonis

2.

Basic Concepts
DataPrivilege provides automated, audited and managed authorization
flows that interface with any system-related IT operation in the organization.
DataPrivilege enables users to request operations (such as granting access
privileges) directly from business authorizers, and designate individuals to
make requests on behalf of other users.
Above all, DataPrivilege provides a framework for IT processes by defining
authorization scenarios that delegate IT authorization from the IT department
to the business unit, thereby establishing the business unit's accountability
for its managed resources.

Request Types
DataPrivilege enables creation and authorization of the following types of
requests:

Data access (that is, permission requests)

Group membership

Direct permission requests

About Data Access Requests


In the ordinary course of work, users often need access to a specific file
or folder for which they do not have permission. When this happens, users
create explicit permission requests.
Since such permissions are best managed through group membership
(instead of granting individuals permission to a folder), a user's permission
request results in the automatic creation of a membership request, in which
the user is granted (or denied) membership to the relevant group. If the user
is granted membership to the group, the user may access all the data to
which the group has permission.
Users may also request membership in specific groups. See About Group
Membership Requests.

Data Access Request Flow


The following figure illustrates the flow of data access requests:

Proprietary and Confidential of Varonis

DataPrivilege 5.9 User Guide

About Group Membership Requests


Membership requests may be created by any role. They are handled by both
group owners and group authorizers. If a group owner creates a membership
request through the Group Management screens, it is automatically
approved.

Group Membership Request Flow


The following figure illustrates the flow of group membership requests:

Proprietary and Confidential of Varonis

Basic Concepts

About Direct Permission Requests


Ordinarily, when users create requests, they are granted membership in a
particular group. Such group membership means that all users in the group
have the same permissions to the same folders.
However, it is sometimes necessary to grant a user permission to a
specific folder, but not to all the other folders to which the user's group has
permission. In this case, a direct permission request may be created, instead
of the usual membership request. A direct permission request enables
adding a user only to a specific ACL for a specific folder.
Direct permission requests can only be created for folders that are
specifically configured to allow such requests. (See Adding Base Folders.)
The following figure illustrates the flow of direct permission requests:

About Authorization
DataPrivilege enables owners to establish key authorization roles to ensure
accountability for the information they are responsible for.

Evaluation and Approval or Denial of Requests


DataPrivilege enables authorizers to approve or deny requests. With
DataPrivilege, authorizers can receive, review and set authorizations for user
requests.

Authorization Review and Supervision


DataPrivilege enables designated authorizers and third-party reviewers from
across the organization to grant or deny requests. Such authorization review
further enhances the organization's accountability and transparency.
Note: If the management authorization (Authorizer 0) option is enabled
and the user for whom the request was made has a manager defined in
the Active Directory, the request must be authorized by the user's manager
before it is sent to the relevant owner or authorizer.

About Entitlement Reviews


Proprietary and Confidential of Varonis

DataPrivilege 5.9 User Guide

DataPrivilege ensures data owners and group owners review user


entitlement according to a defined schedule. The Entitlement Review
window lists all the members and permissions on managed objects, and
allows owners to decide to keep or remove any of the listed members
or permissions. A signing mechanism provides for full auditing of the
entitlement review process. See About Performing Entitlement Reviews.

About DataPrivilege Roles


Several roles are defined in DataPrivilege.

Administrators
Administrators are IT specialists. They are responsible for defining and
managing the definitions of the following:

Other administrators

Locations

Base folders

Assigning data owners to base folders

Assigning group owners to groups

Scheduling and configuring entitlement reviews

Cancelling pending entitlement review requests

Defining Floor Support personnel

Defining permission types

Generating synchronization reports

Defining application settings

Configuring DataPrivilege

Data Owners
Data owners are managers who are responsible for managed folders. This
includes the following activities:

Adding managed folders.

Adding automatic rules to folders.

Adding authorization rules to folders.

Adding authorizers to managed folders.

Granting permissions to managed folders.

Performing entitlement reviews.

Approving or denying user requests for access to data. Such requests


actually entail adding users to the relevant groups.

Synchronizing the actual database with the managed DataPrivilege


environment.

Group Owners
Group owners are managers who are responsible for managed groups. This
includes the following activities:

Adding managed groups.

Proprietary and Confidential of Varonis

Basic Concepts

Adding users to groups.

Removing users from groups.

Adding automatic rules to groups.

Adding authorization rules to groups.

Adding authorizers to managed groups.

Performing entitlement reviews.

Approving or denying requests for group membership

Synchronizing managed groups with Active Directory.

Authorizers
Authorizers are responsible for approving or declining requests assigned to
them by the various types of owners. In addition, authorizers who possess
certain owner privileges can perform the following tasks:

Grant users permissions to managed folders

Add users to groups

Sign entitlement reviews

When data authorizers approve or decline requests, only those groups to


which a user can be assigned are displayed.
Authorization Levels
With DataPrivilege, multiple levels of authorization can be defined to ensure
data and entity membership are protected. An authorizer can be assigned to
any authorization level, even if the preceding levels have not been defined.

Profile Authorizers
Authorizers are responsible for approving or declining requests assigned to
them by the various types of owners. In addition, authorizers who possess
certain owner privileges can perform the following tasks:

Add users to profiles

Floor Support
Floor Support personnel can view all requests whose status is Pending.

Users
Regular users use DataPrivilege to:

Request access to data and track their requests

Request membership to groups and manage their memberships

Multi-Domain Support
DataPrivilege supports the configuration of multiple domains, so that users
from one domain (the trusted domain) can access services in another
domain (a trusting domain).
Domain trusts may be either unidirectional or bidirectional. Unidirectional
trusts allow access to resources only from the trusted domain to the trusting
domain, while bidirectional trusts allow access in both directions.
Proprietary and Confidential of Varonis

DataPrivilege 5.9 User Guide

Cross-domain requests may be either membership requests or permission


requests (in which the permission is enforced according to group
membership request).
In configuring trusts, the following are necessary:

Domains must exist in the database and be defined as monitored.

A base OU may be selected for each domain monitored by DataPrivilege.


If no base OU is selected, the user cannot create new security groups
from within DataPrivilege.

Active Directory user credentials must be managed (assigned and


changed) for each monitored domain.

The following diagram provides an example of domain trust configuration:

Synchronization with Varonis DatAdvantage


The synchronization engine enables maintaining complete synchronization
between DatAdvantage and DataPrivilege. The engine ensures that all
managed objects and their owners are copied from DatAdvantage to
DataPrivilege, including all relevant configuration settings for domains and
file servers. If a domain or file server does not exist in DataPrivilege, the
synchronization creates it.
DataPrivilege objects and owners are also synchronized to DatAdvantage
for monitored resources. However, if a file server managed in DataPrivilege
does not exist in DatAdvantage, the synchronization engine does not create
it in DatAdvantage since this would require a full installation procedure.
10

Proprietary and Confidential of Varonis

Basic Concepts

About Automatic Rules


Folder and group owners can create automatic rules to automatically resolve
permission and membership requests. Owners can also enforce automatic
rules, which means the rules are run at scheduled intervals (by default,
daily) and search for users who meet their conditions. These users are then
assigned or revoked group membership, as specified by the rule.
Rule conditions are defined with Active Directory properties. These
conditions are compared with the users' Active Directory properties, and
the rules are run on those users who meet their criteria. For example, an
automatic rule can be created for all users with the same department AD
property. For information about mapping Active Directory properties to users,
see Mapping Active Directory Settings.
For information on how to define automatic rules, see Adding Automatic
Rules to Folders and Adding Automatic Rules to Groups.
The following sections provide a detailed explanation of how automatic rules
are processed:

Automatic Rules for Folders

Enforced Automatic Rules for Folders

Automatic Rules for Groups

Enforced Automatic Rules for Groups

Automatic Rules for Folders


Automatic rules can be defined to resolve folder permission requests for
users whose Active Directory properties matches conditions defined in the
rule clauses.
IMPORTANT: User refers to the user for whom the request is made, no
matter whether the request was created by or on behalf of the user.
The different request types are resolved as follows:

Automatic Grant Rules


These rules handle all requests that meet the following criteria:

The Active Directory properties of the user match the conditions defined
for the automatic rule.

The request is for granting the user access permissions to the folder.

DataPrivilege processes requests that meet this criteria as follows:

Proprietary and Confidential of Varonis

11

DataPrivilege 5.9 User Guide

IMPORTANT: If a user's Active Directory properties meet the criteria of a


different automatic rule that is defined to decline the request for access to
the folder, the request is declined.

Automatic Revoke Rules


These rules handle all requests that meet the following criteria:

The Active Directory properties of the user match the conditions defined
for the automatic rule.

The request is for revoking access permissions for the folder.

DataPrivilege processes requests that meet this criteria as follows:

12

Proprietary and Confidential of Varonis

Basic Concepts

Automatic Grant and Revoke Rules


These rules handle all requests that meet the following criteria:

The Active Directory properties of the user match the conditions defined
for the automatic rule.

The request is for either granting or revoking user access permissions to


the folder.

DataPrivilege processes requests that meet this criteria as follows:

Proprietary and Confidential of Varonis

13

DataPrivilege 5.9 User Guide

IMPORTANT: For grant requests, if a user's Active Directory properties


meet the criteria of a different automatic rule that is defined to decline the
request for access to the folder, the request is declined.

Automatic Revoke All Rules


Revoke all automatic rules revoke user access to the folder, no matter what
permissions were requested. For more information about automatic revoke
all rules, see About Ethical Walls.
These rules handle all requests that meet the following criteria:

The Active Directory properties of the user match the conditions defined
for the automatic rule.

The request is for either granting or revoking user access permissions to


the folder.

DataPrivilege processes requests that meet this criteria as follows:

14

Proprietary and Confidential of Varonis

Basic Concepts

Enforced Automatic Rules for Folders


Enforced rules run daily (by default) and examine users' Active Directory
properties to see whether they match the conditions of a rule as well as
handle requests.
Note: Rules for both grant and revoke requests (Grant & Revoke) cannot
be enforced.

Enforce Grant Rules


These rules examine all users in Active Directory and those who meet the
rule's conditions are either made members of the group specified in the rule,
or requests are sent for them to the relevant authorizers and owners.
Users found by an enforced grant rule are processed as follows:

Proprietary and Confidential of Varonis

15

DataPrivilege 5.9 User Guide

Enforced Revoke Rules


These rules examine users that have direct membership of the group with
permissions on the folder (specified by the rule) and checks whether their
Active Directory properties meet the rule's conditions.
Users found by an enforced revoke rule are processed as follows:

16

Proprietary and Confidential of Varonis

Basic Concepts

Enforced Revoke All Rules


These rules find users that have effective permission on the folder and
checks whether their Active Directory properties meet the rule's conditions.
Users found by an enforced revoke rule are processed as follows:

Proprietary and Confidential of Varonis

17

DataPrivilege 5.9 User Guide

18

Proprietary and Confidential of Varonis

Basic Concepts

Automatic Rules for Groups


Automatic rules can be defined to resolve membership requests for users
whose Active Directory properties matches conditions defined in the rule
clauses.
IMPORTANT: User refers to the user for whom the request is made, no
matter whether the request was created by or on behalf of the user.
The different request types are resolved as follows:

Automatic Grant Rules


These rules handle all requests that meet the following criteria:

The Active Directory properties of the user match the conditions defined
for the automatic rule.

The request is for granting the user membership to a group.

DataPrivilege processes requests that meet this criteria as follows:

IMPORTANT: If a user's Active Directory properties meet the criteria of a


different automatic rule that is defined to decline the membership request,
the request is declined.

Automatic Revoke Rules


These rules handle all requests that meet the following criteria:

The Active Directory properties of the user match the conditions defined
for the automatic rule.

The request is for revoking group membership.

DataPrivilege processes requests that meet this criteria as follows:

Proprietary and Confidential of Varonis

19

DataPrivilege 5.9 User Guide

Automatic Grant and Revoke Rules


These rules handle all requests that meet the following criteria:

The Active Directory properties of the user match the conditions defined
for the automatic rule.

The request is for either granting or revoking group membership.

DataPrivilege processes requests that meet this criteria as follows:

20

Proprietary and Confidential of Varonis

Basic Concepts

IMPORTANT: For grant requests, if a user's Active Directory properties


meet the criteria of a different automatic rule that is defined to decline the
membership request, the request is declined.

Automatic Revoke All Rules


Revoke all automatic rules revoke group membership. For more information
about automatic revoke all rules, see About Ethical Walls.
These rules handle all requests that meet the following criteria:

The Active Directory properties of the user match the conditions defined
for the automatic rule.

The request is for either granting or revoking group membership.

DataPrivilege processes requests that meet this criteria as follows:

Proprietary and Confidential of Varonis

21

DataPrivilege 5.9 User Guide

Enforced Automatic Rules for Groups


Enforced rules run daily (by default) and examine users' Active Directory
properties to see whether they match the conditions of a rule as well as
handle requests.
Note: Rules for both grant and revoke requests (Grant & Revoke) cannot
be enforced.

Enforce Grant Rules


These rules examine all users in Active Directory and those who meet the
rule's conditions are either made members of the group specified in the rule,
or requests are sent for them to the relevant authorizers and owners.
Users found by an enforced grant rule are processed as follows:

22

Proprietary and Confidential of Varonis

Basic Concepts

Enforced Revoke Rules


These rules examine users that are direct membership of the group and
checks whether their Active Directory properties meet the rule's conditions.
Users found by an enforced revoke rule are processed as follows:

Enforced Revoke All Rules


These rules find users that are members of the group (direct or derived) and
checks whether their Active Directory properties meet the rule's conditions.
Users found by an enforced revoke rule are processed as follows:

Proprietary and Confidential of Varonis

23

DataPrivilege 5.9 User Guide

About Ethical Walls


An ethical wall is a zone of non-communication between distinct
departments of a business or organization to prevent conflicts of interest
that might result in the inappropriate release of sensitive information. For
example, an organization might define an ethical wall between the Finances
and other organizational units, so that no unauthorized personnel can
access financial information.

DataPrivilege and Ethical Walls


DataPrivilege supports the definition of ethical walls as follows:

24

Automatic rules can be defined that deny all access to a specific folder,
whether by group membership or direct permission.

The auto-approval feature can be disabled for automatic rules that are set
to be enforced automatically.

The Enforced Rules report lists all the actions (requests) carried out by
the automatic rules defined in the system, including rules that establish
ethical walls.

Ethical walls can only be defined on managed entities. Therefore, if a


folder has permissions for a non-managed group that includes a member
who matches an ethical wall rule, other rules cannot be enforced on the
folder and notification about the issue cannot be provided.

Proprietary and Confidential of Varonis

Basic Concepts

The definition of an ethical wall may cause permissions on other folders


to be removed, if a group matching the wall criteria has permissions to
both.

Exceptions to Ethical Walls


An ethical wall cannot be created in the following cases:

A user that would be affected by the wall is member of an inherited group


that has permission on the folder.

A user that would be affected by the wall is a member of an unmonitored


group that has permission on the folder.

A user that would be affected by the wall has permission on an


unmonitored folder.

A user that would be affected by the wall has permission or is a member


of a group having permission to a folder that has no owner.

A user that would be affected by the wall meets the following conditions:

Is a member of a group having permission on the folder or has direct


permission on it; and

the group is set to allow bypassing authorization; and

the group has no owner.

Ethical Walls Requiring Owner/Authorizer Approval


In some cases, the creation of an ethical wall does not automatically remove
membership. Instead, a request is created which must be approved by the
relevant owner or authorizer.
A group membership request is created with a status of Pending if an ethical
wall is created on a folder when:

Removing a member of a nested group.

Removing a member of a group having permission on an unmonitored


folder.

Removing a member of a group which is inherited.

When the rule is flagged as "not automatically approved," all the requests
are created with a status of Pending.

Multi-Language Support
DataPrivilege enables you to select the language in which the user interface
is displayed. While the default language is the language selected upon
installation, you may choose any language that is available through the
Enterprise Installer.
Different users in an organization can view the user interface in different
languages simultaneously.
Available languages:

Czech

Dutch

English
Proprietary and Confidential of Varonis

25

DataPrivilege 5.9 User Guide

26

French

German

Hebrew

Japanese

Russian

Swedish

Proprietary and Confidential of Varonis

3.

Getting Started

Logging In
To log in to DataPrivilege:
1. Start Internet Explorer.
2. In the Address bar, enter the required URL. Alternatively, click the
DataPrivilege link on the enterprise portal.
The main DataPrivilege screen is displayed.

Graphical User Interface


The DataPrivilege user interface is comprised of several elements:

Menu buttons at the top of the screen. The content pages of the menu
buttons can be customized as necessary.

Left menu bar, which provides users access to the various panes of the
workspace. The left menu bar includes the following menus:

Summary - Available to all types of users

Pending Requests - Available to all types of users

Permission Requests - Available to all types of users

Membership Requests - Available to all types of users

Management - Available to owners and authorizers

Administration - Available to administrators only

Advanced Administration - Available to administrators only

Search - Available to all types of users

Reports - Available to all types of users (only owners and


administrators can generate synchronization reports)

Configuration - Available to Webmasters only

Main workspace, in which the various panes are displayed.

Proprietary and Confidential of Varonis

27

DataPrivilege 5.9 User Guide

Setting the Display Language


To customize the display language:
1. Open the relevant page.
2. Select the preferred language from the drop-down list.

The window is displayed in the selected language.

28

Proprietary and Confidential of Varonis

Getting Started

DataPrivilege Icons
The following icons are used in the DataPrivilege graphical user interface:
Icon

Description
The entity was added to DataPrivilege.
The entity was added to DataPrivilege by an enforced automatic
rule.
References existing shares.
The entity has been changed and requires synchronization.
An error has occurred in the synchronization between
DataPrivilege and DatAdvantage.
DataPrivilege-DatAdvantage synchronization is pending.
The entity is recommended for removal by DatAdvantage.
The user's permissions have been edited.
The user has multiple inheritance, consisting of a group that was
added from outside DataPrivilege and another group that has
been recommended for removal.
An error has occurred.
File without access.
Folder is not managed.

Proprietary and Confidential of Varonis

29

DataPrivilege 5.9 User Guide

Icon

Description
Non-managed protected folder.
Non-managed unique folder.
Folder without access.
Protected folder.
Unique folder without access.
Managed group.
Non-managed group
Enabled user.
Disabled user.
An error occurred during synchronization.
Request automatically approved.
Request cancelled.
Ethical wall.
Request is being executed.
Request to grant permission.
Request to revoke permission.
The request's status is Approved.
The request's status is Declined.
The request's status is Error or Expired.
The request is pending.
Information.
Operation cancelled.
Managed distribution group.

30

Proprietary and Confidential of Varonis

Getting Started

Icon

Description
Unmanaged distribution group.
Undetected folder.
Profile.

Logging Out
There is no need to log out of DataPrivilege. Simply close the Internet
browser.

Proprietary and Confidential of Varonis

31

4.

Data Ownership

About Data Owners


Data owners are managers who are responsible for managed folders. This
includes the following activities:

Adding managed folders.

Adding automatic rules to folders.

Adding authorization rules to folders.

Adding authorizers to managed folders.

Granting permissions to managed folders.

Performing entitlement reviews.

Approving or denying user requests for access to data. Such requests


actually entail adding users to the relevant groups.

Synchronizing the actual database with the managed DataPrivilege


environment.

DataPrivilege also supports the management of local users and groups.


All activities described above can be performed for local groups as well as
global groups.
Note: This feature is disabled by default and can be enabled when adding
a file server or defining credentials for file servers and root folders. For more
information, see Adding File Servers or Defining Credentials for File Servers
and Root Folders. If enabled, the local host on which the file server resides
becomes a monitored domain.

Working with Data Owner Views


DataPrivilege provides two data owner-related views:

Folder view

Authorizers view
To work with a data owner-related view:

1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.

2. Above the Search pane, click the link to switch to the required view.
Proprietary and Confidential of Varonis

33

DataPrivilege 5.9 User Guide

In the Folder view:

The list of locations and folders is displayed in the left pane.

Select a folder to display its permissions, authorizers, rules, etc. in


the right pane.

If you select multiple folders, only the items common to the entire
selection are displayed.

In the Authorizers view:

The list of folder authorizers is displayed in the left pane.

Select an authorizer to display the folders for which it is


responsible in the right pane.

If you select multiple authorizers, only the folders common to all


the selected authorizers are displayed.

Choose the Selected Only option to view only the selected


authorizers and their folders.

Adding Managed Folders


To create a managed folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.

34

Proprietary and Confidential of Varonis

Data Ownership

2. Expand the entities in the Display Name column to the position at which
you want to create the managed folder.
3. Click Add Folder.
The Add Managed Folder wizard is displayed, on the Select Folders
page.
4. Click the Browse button to select the required folders. You may
also paste folder names in UNC format (that is, \\ComputerName
\SharedFolder\Resource).
5. Click Add.
The folders are added to the grid in the lower pane.
Note: If you selected a folder located in a file server that is not yet
defined in DataPrivilege, the File Servers Definition dialog box is
displayed. Define the file server as necessary.

The grid enables you to continue defining folders. There is one set of
definitions for each folder.
6. For each folder, define the following as relevant:

Display path - This column shows the folder's path. Select the
Allow direct permissions option if you want to enable creating direct
permission requests on the folder.

Existing groups - Select unique groups that have direct permissions


on the folder.

New permissions - In the New Permissions column, select the


permissions to be granted to the new group. If preferred, change the
default name of the group.

Proprietary and Confidential of Varonis

35

DataPrivilege 5.9 User Guide

Make Traverse Permissions - If a group has permissions to a


subfolder but not its parent folders, traverse permissions enable group
members to drill down through the file system to access the folder. For
base folders, traverse permissions can be set up to the level of the
share.

Bypass Group Authorization - This option enables folder owners to


manage direct user members of the group if the group has a unique
ACE on the folder. If the group has a unique ACE for several folders,
all relevant folder owners can manage its members independently. For
example:

Several groups are used to manage a folder, and one of the


groups does not have an owner. Unless the bypass option is
set, users cannot request permissions of the type this group
represents.

If a group without an owner is the only group used to manage a


folder, the folder is effectively not managed. Again, the bypass
option enables managing the folder.

7. Click Next.
The Select Authorizers page is displayed.
8. In the Authorizers column, click Add and search for the required
authorizers. You may select more than one.
The authorizers are added.

9. Click Next.
36

Proprietary and Confidential of Varonis

Data Ownership

10.When the summary is displayed, indicating success, click Finish.

Editing Managed Folders


After creating managed folders, data owners can edit them as necessary.

Any global group that belongs to a trusted domain may be granted


permissions on the folder.

Any local group belonging to the same domain as the file server whose
folder permissions are being set may be added to the folder.

To edit a managed folder:


1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder to be edited.
The Add, Edit and Remove buttons in the pane become active.
3. Click Edit.
The Edit Folders dialog box is displayed.

4. Edit the managed folder's details as necessary.


5. In the bottom pane, select the relevant options to set the scope of
permissions:

Make Protected - If you select this option, the folder no longer inherits
permissions from its parent.

Copy Permissions - If you set the folder to Make Protected, select this
option to copy the parent folder's permissions to this folder.

Make Inherit - Select this option if you want the folder to inherit
permissions from its parent.

Proprietary and Confidential of Varonis

37

DataPrivilege 5.9 User Guide

Note: These options are only visible if the ability to set protection and
inheritance is configured for owners and authorizers.
6. Click Next.
Your changes are saved and you are redirected to the operation
summary screen.

Removing Managed Folders


To remove a managed folder from a base folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder to be removed.
The Add, Edit and Remove buttons in the pane become active.
3. Click Remove.
The managed folder is removed.

Creating New Subfolders


Owners can create subfolders within the folders they own.
Note: This feature is disabled by default and must be first enabled through
Configuration > Application Settings > Authorizer and Owner Rights.
To create a subfolder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.

2. Expand the entities in the Display Name column to the position at which
you want to create the subfolder.
3. Click Create Folder.
The Create Folder page is displayed.

38

Proprietary and Confidential of Varonis

Data Ownership

4. In the Folder Name text box, type the name of the new subfolder.
5. In the New Permissions area, select permissions to be assigned to the
new subfolder.
Note: The Make Traverse Permissions option enables users who have
permissions to the subfolder but not its parent folders to navigate through
the file system to the subfolder.
6. In the Advanced area, define the following:

Allow direct permissions - When selected, direct permission requests


are enabled for the subfolder.

Make Protected - When selected, the subfolder does not inherit


permissions from its parent folder.

Copy Permissions - When selected, the subfolder is assigned the


same permissions as its parent folder, although they are not inherited
(only enabled when Make Protected is selected).

7. In the Authorizers area, click Add.


The Authorizers Details window is displayed.

Proprietary and Confidential of Varonis

39

DataPrivilege 5.9 User Guide

8. Do one or more of the following:

In the Select Users area, type the required users, using the <domain
name>\<user name> format.

To search for and add the required users, click the Browse button.

9. Click Add.
The users are added to the Display Name area.

10.Select the required Authorizer Level of the users.

40

Proprietary and Confidential of Varonis

Data Ownership

Note: The available authorization level of users is only incremented after


users are added to the Authorizers area of the Create Folder window
(after completing the next step).
11.Click OK.
Note: To add users with a higher authorization level, repeat steps 9 to
11.
The Authorizer Details window is closed and the selected users are
displayed in the Authorizers area of the Create Folder window.
12.Click OK.
The Create Folder window is closed and the new subfolder is created.

Granting Users Permissions to Managed Folders


Data owners can use the following methods to create permission requests
on behalf of users:

With an ordinary permission request created through the Permission


Request wizard. These requests are subject to the normal approval
process. See Creating Permission Requests.

With a direct permission request, created through the Managed Folders


> Permissions tab, to grant permission to specific users on specific
folders. These requests are automatically approved; since the data owner
is the one making the request, there is no need for a manual approval
process.
Note: Direct permission requests can only be created for folders that are
specifically configured to allow such requests. See Adding Base Folders.

With a permission request, created through the Managed Folders >


Permissions tab, to add a user to a managed group that already has the
required permissions for the relevant folder (the data owner must own the
folder). These requests are also automatically approved.

Any user belonging to a trusted domain may be added to a folder.


With regard to local and global groups:

A user may be added to a local group only from domains trusted by the
domain in which the local group is defined (including its own domain).

A user may be added to a global group only from the same domain in
which the global group is defined.
The list of users is filtered according to these constraints. This means that
when users are added to global groups, only the users from the global
group's domain may be displayed.
When users are added to a local group only the users from the local group's
domain and trusted domains are shown.

Creating Direct Permission Requests


Direct permissions can be added only for users and groups in the same
domain as the relevant folder or in any trusted domain. In addition to using
the method described here to create direct permission requests, data
owners and authorizers who possess owner privileges can change regular
membership requests to direct permission requests during the approval
process. For instructions, see Approving or Declining Requests.

Proprietary and Confidential of Varonis

41

DataPrivilege 5.9 User Guide

To create a direct permission request:


1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder to which you want to grant the user
permission.
3. In the right pane of the main workspace, select the Permission tab. The
ACLs currently defined for the selected managed folder are displayed.

4. In the right pane, click Add Permission.


The Create Direct Permission Request dialog box is displayed.

5. Click Select Users/Groups.


The Users Search dialog box is displayed.
6. Search for the users and groups to whom you want to grant permission.
7. In the Request Reason field, type the reason why the selected users
require permission for the managed folder.
8. In the Permission to Folder area, select the permission type to be granted
to the users.
9. In the Expiration Date area, set the date on which the permission is to
expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

10.Click OK.
42

Proprietary and Confidential of Varonis

Data Ownership

A direct permission request is created for the specified users and groups.

Changing the Permission Expiration Date


To change the date on which a user's or group's permission expires:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder whose permission expiration date
you want to edit.
3. In the right pane of the main workspace, select the Permission tab. The
ACLs currently defined for the selected managed folder are displayed.

4. In the right pane, select the Permissions tab.


5. In the Expiration Date column, click the link for the relevant user or group.
The Edit Expiration Date dialog box is displayed.

6. Set the date on which the permission is to expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

7. Enter a reason for setting this expiration date.


8. Click OK.

Proprietary and Confidential of Varonis

43

DataPrivilege 5.9 User Guide

Removing Direct Permissions from Managed Folders


Just as data owners and authorizers can create direct permission requests,
they can also create direct removal requests, to remove user or group
permissions from a managed folder.
To remove direct permissions from a managed folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.

2. In the Permissions pane, select user or group whose permission is to be


removed.
3. Click Remove Permission.
The Remove Permission dialog box is displayed.
4. Type the reason for revoking the direct permission.
5. Click OK.
The direct permission to the selected managed folder is revoked.

Adding Users to Groups Having Permissions for Managed Folders


To add users or groups to a group having permissions for a managed folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder to which you want to grant the user
permission.
3. In the right pane of the main workspace, select the Permission tab. An
aggregate of the permissions currently defined for the selected managed
folder is displayed.

4. In the right pane, select the ACL to which you want to add the user.
5. In the right pane, click Add Member. The Create Permission Request
dialog box is displayed.

44

Proprietary and Confidential of Varonis

Data Ownership

6. Click Select User.


The User Search dialog box is displayed.
7. Search for the users and groups to whom you want to grant permissions.
8. In the Request Reason field, type the reason why the selected users
require permissions for the managed folder.
9. In the Expiration Date area, set the date on which the permission is to
expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

10.Click OK.
The selected users and groups are added to the group.

Removing Users from Groups having Permissions for Managed Folders


Data owners can create requests to remove group membership for specific
users, thereby removing the users' access to specific managed folders.
To create a request to remove a user from a group:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Go to the Permission tab.
The ACLs currently defined for the selected managed folder are
displayed.
3. Above the Search pane, click the link to select the Folders view.
4. Expand the relevant group and select the checkbox of the user whose
permission is to be removed.
5. Click Remove Member.
The Remove Member from Group dialog box is displayed.
6. Type the reason for revoking the user's permission.
7. Click OK.
The user's permission to the selected managed folder is revoked.

Proprietary and Confidential of Varonis

45

DataPrivilege 5.9 User Guide

Viewing Advanced Permissions


The main Permissions pane displays an aggregate of the permissions
granted to the selected folder. However, the Advanced Permissions
Settings window provides a fully detailed view of the folder's permissions.
To view advanced permissions for the selected folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Go to the Managed Folders pane.
3. Click the name of the managed folder for which you want to view
advanced permissions.
4. In the right pane of the main workspace, select the Permission tab. The
ACLs currently defined for the selected managed folder are displayed.

5. In the right pane, click Advanced Permissions. The Advanced


Permissions Settings window is displayed.

Exporting Permissions on Managed Folders


Data owners and authorizers can generate permissions reports directly from
the main Permissions pane.
Note: This feature is disabled by default and must be first enabled through
Configuration > Application Settings > Authorizer and Owner Rights.

46

Proprietary and Confidential of Varonis

Data Ownership

Depending on the configuration for this setting, one or both of the following
reports can be generated:

Managed Folder Permissions

Managed Folder User Level Permissions

To export permissions on managed folders:


1. From the left menu bar, do one of the following:

If you are a data owner, select Management > Folder Owner

If you are an authorizer, select Management > Folder Authorizer

2. In the Managed Folders pane, click the name of the managed folder
whose permissions you want to export.
3. In the right pane of the main workspace, select the Permissions tab. The
ACLs currently defined for the selected managed folder are displayed.

4. Click Export Permissions.


An email is sent to the specified email address describing the
permissions on the specified folder or group.

Adding Authorizers to Managed Folders


There are three methods for adding authorizers to managed folders:

Through the Add Managed Folders wizard

Through the Authorizers tab

Through a popup menu

Adding Authorizers to Managed Folders through the Authorizers Tab


If you select multiple folders, you can add a common authorizer to all the
selected folders at once.
To add an authorizer to a managed folder through the Authorizers tab:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder to which you want to add an
authorizer.
3. In the right pane of the main workspace, click the Authorizers tab.
The authorizers currently defined for the selected managed folder are
displayed (if you selected more than one folder, the authorizers that are
common to all selected folders are displayed).

Proprietary and Confidential of Varonis

47

DataPrivilege 5.9 User Guide

4. In the right pane, click Add.


The Authorizer Details dialog box is displayed.

5. In the Select Users area, click the Browse button to locate the relevant
authorizers. You may select more than one.
6. Click Add.
The authorizers are added to the lower pane.
7. From the Authorizer Level dialog box, select the level of the new
authorizer. You may select any level you want for the authorizer.
8. Click OK twice to close the dialog boxes.
The new authorizer is displayed in the right pane.

Adding Authorizers to Managed Folders through the Popup Menu


To add an authorizer to a managed folder through the popup menu:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. In the Managed Folders pane, right-click the name of the managed folder
to which you want to add an authorizer. A popup menu is displayed.
48

Proprietary and Confidential of Varonis

Data Ownership

3. From the popup menu, select Authorizers. The Add Authorizer dialog
box is displayed, listing the authorizers who are currently defined for the
managed folder.

4. Click Add.
The Authorizer Details dialog box is displayed.

Proprietary and Confidential of Varonis

49

DataPrivilege 5.9 User Guide

5. In the Select Users area, click the Browse button to locate the relevant
authorizers. You may select more than one.
6. Click Add.
The authorizers are added to the lower pane.
7. From the Authorizer Level dialog box, select the level of the new
authorizer. You may select any level you want for the authorizer.
8. Click OK twice to close the dialog boxes.
The new authorizer is displayed in the right pane.

Viewing Authorizer Details


To view the details of existing authorizers:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the information icon for the authorizer whose details you want to
view.
The Folder Authorizer Details dialog box is displayed, showing the
details of the selected authorizer.
3. Click OK.

Removing Authorizers from Managed Folders


To remove an authorizer from a managed folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.

50

Proprietary and Confidential of Varonis

Data Ownership

2. Select the check box of the authorizer to be removed.


3. Click Remove.
The authorizer is removed from the managed folder.

Adding Owners to Managed Folders


To add an owner to a managed folder through the popup menu:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder to which you want to add an owner.
A popup menu is displayed.
3. From the popup menu, select Owner.
The Data Owners dialog box is displayed, listing the owners who are
currently defined for the managed folder.

4. Click Add.
The Users Search dialog box is displayed.

Proprietary and Confidential of Varonis

51

DataPrivilege 5.9 User Guide

5. In the Select Users area, click the Browse button to locate the relevant
owners. You may select more than one.
6. Click Add.
The owners are added to the lower pane.
7. Click OK twice to close the dialog boxes. The new owner is displayed in
the right pane.

Adding Authorization Rules to Folders


To add an authorization rule to a managed folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder to which you want to add an
authorization rule.
3. In the right pane of the main workspace, click the Auth Rules tab.
The authorization rules currently defined for the managed folder are
displayed.

4. In the right pane, click Add.


The Authorizer Rule Details dialog box is displayed.

52

Proprietary and Confidential of Varonis

Data Ownership

5. In the Rule Name field, type a name for the authorization rule to be
added.
6. Select or clear the Is Enabled checkbox to enable or disable the rule as
necessary.
7. In the Clauses area, define the expression the rule is to calculate.
a. Click Edit. The Rule Clauses dialog box is displayed.

b. From the drop-down boxes, select the required values to build the
clause.
Proprietary and Confidential of Varonis

53

DataPrivilege 5.9 User Guide

c. To add a clause, click Add Clause. An additional row is displayed.


d. To remove an extraneous clause, click Remove. The extraneous
clause is removed.
e. When the expression is complete, click OK.
8. In the Authorizers area, click Add. The User Search dialog box is
displayed.
9. Search for the authorizers to be added.
10.Click OK.

Editing Authorization Rules for Folders


To edit existing authorization rules:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. In the right pane of the main workspace, click the Auth Rules tab.
3. Click the information icon for the rule whose details you want to view.
The Authorizer Rule Details dialog box is displayed, showing the details
of the selected rule.
4. Edit as necessary.
5. Click OK.

Removing Authorization Rules from Folders


To remove an authorization rule from a managed folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. In the right pane of the main workspace, click the Auth Rules tab.
3. Select the check box of the rule to be removed.
4. Click Remove.
The authorization rule is removed from the managed folder.

Adding Automatic Rules to Folders


To add an automatic rule to a managed folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder to which you want to add an
automatic rule.
3. In the right pane of the main workspace, click the Automatic Rules tab.
The automatic rules currently defined for the managed folder are
displayed.

54

Proprietary and Confidential of Varonis

Data Ownership

4. In the right pane, click Add. The Automatic Rule Details dialog box is
displayed.

5. In the Rule Name field, type a name for the automatic rule to be added.
The name must be unique.
6. Select or clear the Is Enabled checkbox to enable or disable the rule as
necessary.
7. In the Clauses area, define the expression the rule is to calculate.
a. Click Edit. The Rule Clauses dialog box is displayed.

Proprietary and Confidential of Varonis

55

DataPrivilege 5.9 User Guide

b. From the drop-down boxes, select the required values to build the
clause.
c. To add a clause, click Add Clause. An additional row is displayed.
d. To remove an extraneous clause, click Remove. The extraneous
clause is removed.
e. When the expression is complete, click OK.
8. In the Request Operation Type area, select the operations that the rule
can carry out if all its criteria are met. The rule is only enforced if all the
clauses and the selected operation type match. Options are:

Grant - Set the rule to only grant permissions, not to revoke them.

Grant & Revoke - Set the rule to both grant and revoke permissions as
necessary.

Revoke - Set the rule to only revoke permissions, not to grant them.

Revoke All - Set the rule to revoke all memberships, including nested
memberships. This creates an ethical wall.

9. In the Permissions area, select the permissions to be granted to the


managed folder.
10.In the Expiration Date area, set the date on which the permission is to
expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

11.In the Authorization area, set the rule to automatically approve or decline
requests as necessary.
12.Select or clear the Enforce Rule checkbox as necessary, to run the rule
at a predefined interval on all the users in Active Directory who meet the
rule's criteria. This option is disabled under the following conditions:

Operation Type is set to Grant & Revoke.

The authorization option is set to Decline.


Note: If this option is selected and the system is not otherwise
configured, the rule is run once every 24 hours.

13.Select the Do Not Approve Automatically checkbox as necessary, to


prevent automatic approval of any request created by this rule. The
requests remain in the Pending Authorization state.
14.Click OK.
The automatic rule is added to the managed folder.

Editing Automatic Rules


To edit existing automatic rules:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the information icon for the rule whose details you want to view.
The Automatic Rule Details dialog box is displayed, showing the details
of the selected rule.
3. Edit as necessary.

56

Proprietary and Confidential of Varonis

Data Ownership

4. Click OK.

Removing Automatic Rules


To remove an automatic rule from a managed folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Select the check box of the rule to be removed.
3. Click Remove.
The automatic rule is removed from the managed folder.

Viewing Event Logs and History


Data owners can access event logs and history from DatAdvantage. Users
can browse and search the event logs from all the monitored resources for a
specific day, down to the level of a single event.
To view DatAdvantage logs and history:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder whose logs you want to view.
3. In the right pane of the main workspace, select the Log/History tab. The
Query pane is displayed.

4. From the Data From drop-down list, select the source of the data.
Options are:

File system events

History of differences

All

5. To set a specific range of dates whose history you want to view, set the
following:

From - Set the starting date and time for the required time period.

To - Set the ending date and time for the required time period.

6. To set the number of days relative to the current date:


a. Select the Relative option.
b. In the Last field, type the number of days you want to look back.
7. Click Configure to configure filtering, grouping and sorting options for the
data (see Generating Reports in DataPrivilege).
8. Click Run.

Proprietary and Confidential of Varonis

57

DataPrivilege 5.9 User Guide

The report is generated and displayed in the Logs screen below.

Viewing Folder Statistics


Data owners can access event statistics from DatAdvantage. The Statistics
view provides detailed visualizations and activity graphs for user-defined
time frames, file servers and folders. For further information on statistics, see
DatAdvantage User Guide.
To view DatAdvantage statistics:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder whose statistics you want to view.
3. In the right pane of the main workspace, select the Statistics tab. The
Statistics pane is displayed.

4. To set a specific range of dates whose statistics you want to view, set the
following:

From - Set the starting date and time for the required time period.

To - Set the ending date and time for the required time period.

5. From the Type drop-down list, select the type of statistics you want to
view for the folder. Options are:

58

Activity By Date - This chart displays the activity for a folder or file on
the specified day. Use it to identify overall usage patterns, as well as
days with unusual activity that require further investigation. Access to
the folder, its subfolders and files is differentiated by color.

Subfolder Statistics - This chart displays the distribution of events


between subfolders within the current folder.

User Access - This chart displays the distribution of users accessing


the folder or file under review. The color-coded pie chart displays the
percentage of events for each user.

Inactive Users - This chart provides a view of the period of greatest


inactivity in the folder, per user, for the past seven days.

Least Active Users - This chart provides a view of the percentage of


users that had no activity in the folder in comparison to all users in the
domain.

Proprietary and Confidential of Varonis

Data Ownership

Inactive Folders - This chart provides a view of the period of greatest


inactivity in folders, for the past seven days.

6. Click Search.
The statistics are displayed.

7. From the Group By drop-down list, select the value by which you want to
group the statistics. Options are:

Daily

Weekly

Day of Week

Monthly

Quarterly

Yearly

8. To print the generated statistics, click Print.


9. To export the generated statistics to a file:
a. Click Export.
b. Click Save.
The Save As dialog box is displayed.
c. Save the file as required.

Synchronizing Managed Folders with the Database


Data owners can synchronize the state of a managed folder with the
database as needed. This action commits the changes they have made to
the database.
To synchronize a managed folder with the database:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder you want to synchronize with the
database.
A popup menu is displayed.
3. From the popup menu, select Sync.
The selected folder is synchronized with the database.

Proprietary and Confidential of Varonis

59

DataPrivilege 5.9 User Guide

Using the Authorizer View


Viewing the Folders that are Defined for Authorizers
To view the folders that are defined for specific authorizers:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Above the Search pane, click the link to select the Authorizers view.
3. Use the Search pane to locate the relevant authorizers.
4. Select the relevant authorizers.
The folders under the responsibility of the selected authorizers are
displayed.

Adding Authorizers to Managed Folders in the Authorizers View


You can add an authorizer to a managed folder in the Authorizers view when
you add a folder.
To add an authorizer to a managed folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Above the Search pane, click the link to select the Authorizers view.
3. Use the Search pane to locate the relevant authorizers.
4. In the Authorizers pane, select the relevant authorizers.
5. In the Managed Folders pane, click Add Folder.
The Select Managed Folders wizard is displayed, on the Select Folders
page.

60

Proprietary and Confidential of Varonis

Data Ownership

6. Define the following:

Select Location - From the drop-down list, select the location of the
folder to be added.

Select Folders - Click the Browse button to select the required


folders. You may also paste folder names in UNC format (that is, \
\ComputerName\SharedFolder\Resource).

7. Select the required folders.


8. For each folder, define the following as relevant:

Display path - This column shows the folder's path. Select the
Allow direct permissions option if you want to enable creating direct
permission requests on the folder.

Existing groups - Select unique groups that have direct permissions


on the folder.

New permissions - In the New Permissions column, select the


permissions to be granted to the new group. If preferred, change the
default name of the group.

Make Traverse Permissions - If a group has permissions to a


subfolder but not its parent folders, traverse permissions enable group
members to drill down through the file system to access the folder. For
base folders, traverse permissions can be set up to the level of the
share.

Bypass Group Authorization - This option enables folder owners to


manage direct user members of the group if the group has a unique
ACE on the folder. If the group has a unique ACE for several folders,
all relevant folder owners can manage its members independently. For
example:

Several groups are used to manage a folder, and one of the


groups does not have an owner. Unless the bypass option is
set, users cannot request permissions of the type this group
represents.

If a group without an owner is the only group used to manage a


folder, the folder is effectively not managed. Again, the bypass
option enables managing the folder.

9. Click OK.
The folders are added to the selected authorizers.
10.In the Select Users area, click the Browse button to locate the relevant
authorizers. You may select more than one.
11.Click Add.
The authorizers are added to the lower pane.
12.Click Next.
13.When the summary is displayed, indicating success, click Finish.

Removing Authorizers from Folders


To remove an authorizer from a folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Above the Search pane, click the link to select the Authorizers view.
3. Use the Search pane to locate the relevant authorizers.
Proprietary and Confidential of Varonis

61

DataPrivilege 5.9 User Guide

4. In the Folder Owner Authorizers pane, select the relevant authorizers.


5. Click Remove.
The authorizers are removed from their related folders.

Adding Managed Folders to Authorizer Responsibilities


To add a folder to an authorizer's responsibilities:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Above the Search pane, click the link to select the Authorizers view.
3. Use the Search pane to locate the relevant authorizers.
4. In the Authorizers pane, select one or more authorizers. The folders
under the responsibility of the selected authorizers are displayed
in the Managed Folders pane on the right. If you select more than
one authorizer, only the folders that are common to all the selected
authorizers are displayed.
5. In the Managed Folders pane, click Add Folder. The Select Managed
Folders dialog box is displayed.

6. Search for the required folder.


7. Click OK.
The folders are added to the authorizer's responsibilities.

Removing Folders from Authorizer Responsibilities


To remove a folder from an authorizer's responsibilities:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
62

Proprietary and Confidential of Varonis

Data Ownership

2. Above the Search pane, click the link to select the Authorizers view.
3. Use the Search pane to locate the relevant authorizers.
4. In the Folder Owner Authorizers pane, select one or more authorizers.
The folders under the responsibility of the selected authorizers are
displayed in the Managed Folders pane on the right. If you select more
than one authorizer, only the folders that are common to all the selected
authorizers are displayed.
5. Click the name of the managed folder to be removed from the
authorizer's responsibilities.
6. Click Remove.
The folders are removed.

About Data Authorizers


Authorizers are responsible for approving or declining requests assigned to
them by the various types of owners. In addition, authorizers who possess
certain owner privileges can perform the following tasks:

Grant users permissions to managed folders

Add users to groups

Sign entitlement reviews

Authorizers are responsible for approving or declining requests assigned to


them by the various types of owners. In addition, authorizers who possess
certain owner privileges can perform the following tasks:

Grant users permissions to managed folders

Add users to groups

Sign entitlement reviews

Authorization Levels
With DataPrivilege, multiple levels of authorization can be defined to ensure
data and entity membership are protected. An authorizer can be assigned to
any authorization level, even if the preceding levels have not been defined.

Viewing Permissions on Managed Folders


Data authorizers can view the permissions defined for the managed folders
under their responsibility.
To view permissions on managed folders:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.
2. Click the name of the managed folder whose permissions you want to
view.
The ACLs currently defined for the selected managed folder are
displayed in the right pane.

Proprietary and Confidential of Varonis

63

DataPrivilege 5.9 User Guide

Removing Direct Permissions from Managed Folders


Just as data owners and authorizers can create direct permission requests,
they can also create direct removal requests, to remove user or group
permissions from a managed folder.
To remove direct permissions from a managed folder:
1. From the left menu bar, select Management > Folder Owner to go to
the Managed Folders pane.

2. In the Permissions pane, select user or group whose permission is to be


removed.
3. Click Remove Permission.
The Remove Permission dialog box is displayed.
4. Type the reason for revoking the direct permission.
5. Click OK.
The direct permission to the selected managed folder is revoked.

64

Proprietary and Confidential of Varonis

5.

Group Ownership

About Group Owners


Group owners are managers who are responsible for managed groups. This
includes the following activities:

Adding managed groups.

Adding users to groups.

Removing users from groups.

Adding automatic rules to groups.

Adding authorization rules to groups.

Adding authorizers to managed groups.

Performing entitlement reviews.

Approving or denying requests for group membership

Synchronizing managed groups with Active Directory.

DataPrivilege also supports the management of local users and groups.


All activities described above can be performed for local groups as well as
global groups.
Note: This feature is disabled by default and can be enabled when adding
a file server or defining credentials for file servers and root folders. For more
information, see Adding File Servers or Defining Credentials for File Servers
and Root Folders. If enabled, the local host on which the file server resides
becomes a monitored domain.

Working with Group Owner Views


DataPrivilege provides two group owner-related views:

Groups view

Authorizers view
To work with a data owner-related view:

1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Above the Search pane, click the link to switch to the required view.

In the Groups view:

The list of managed groups is displayed in the left pane.

Select a group to display its members, authorizers, rules, etc. in


the right pane.

If you select multiple groups, only the items common to the entire
selection are displayed.

Proprietary and Confidential of Varonis

65

DataPrivilege 5.9 User Guide

In the Authorizers view:

The list of group authorizers is displayed in the left pane.

Select an authorizer to display the groups for which it is


responsible in the right pane.

If you select multiple authorizers, only the groups common to all


the selected authorizers are displayed.

Choose the Selected Only option to view only the selected


authorizers and their groups.

Using the Group Search Pane


To find the groups you want to work with:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.

2. Do one of the following:

66

Select a domain in which to perform the search - Select the Domain


option and then select the required domain from the drop-down list.

Proprietary and Confidential of Varonis

Group Ownership

Select a location in which to perform the search - Select the Location


option and then select the required logical location from the drop-down
list.

3. From the drop-down list, select the required search operator. Options are:

Begins with

Ends with

Contains

That is

4. In the blank field, type the required value to find the relevant group.
If you set the filter to Begins With, type the first few letters of the group
you are searching for.
5. Click Search.
A list of groups matching the search criteria is returned.

Adding Users to Groups


Group owners and authorizers who possess owner privileges may create
permission requests, to add selected users to groups automatically.
However, in this case, the users are only authorized for the specific folders
selected in the permission request.
To add a user to a group:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. In the Group Owner pane, select the relevant group.
3. In the right pane, click the Members tab.
The current members of the group are displayed, along with any
recommendations made for them by DatAdvantage.

4. Click Add Member.


The Create Membership Request dialog box is displayed.

Proprietary and Confidential of Varonis

67

DataPrivilege 5.9 User Guide

5. In the Request For area, click Select Users/Groups.


6. Search for the relevant users.
7. In the Reason area, type the reason why the users should be granted
membership to the group.
8. In the Expiration Date area, set the date on which the permission is to
expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

9. Click OK.
The users are added to the group (since the membership request was
created by the group owner, it is automatically approved).

Changing the Membership Expiration Date


To change the date on which a user's or group's membership expires:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Select the group whose membership expiration you want to edit.
3. In the right pane, select the Members tab.
4. In the Expiration Date column, click the link for the relevant user or group.
The Edit Expiration Date dialog box is displayed.

68

Proprietary and Confidential of Varonis

Group Ownership

5. Set the date on which the membership is to expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

6. Enter a reason for setting this expiration date.


7. Click OK.

Removing Users from Groups


To remove a user from a group:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Select the group from which you want to remove a user.
3. In the right pane, select the Members tab.
4. Select the relevant user.
5. Click Remove.
The user is removed from the group.

Excluding Groups from the Authorization Process


Group owners may choose to exclude groups from the authorization process
if necessary. This option enables folder owners to manage direct user
members of the group if the group has a unique ACE on the folder. If the
group has a unique ACE for several folders, all relevant folder owners can
manage its members independently.
To exclude a group from the authorization process:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Click the information icon of the relevant group.
The Group Details dialog box is displayed.
Proprietary and Confidential of Varonis

69

DataPrivilege 5.9 User Guide

3. Select the Bypass Group Authorization checkbox for each group as


relevant.
4. Click OK.

Adding Authorizers to Managed Groups


There are two methods for adding authorizers to managed folders:

Through the Authorizers tab

Through a popup menu

Adding Authorizers to Managed Groups through the Authorizers Tab


If you select multiple folders, you can add a common authorizer to all the
selected folders at once.
To add an authorizer to a managed folder through the Authorizers tab:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. In the right pane of the main workspace, click the Authorizers tab.
The authorizers currently defined for the selected managed group are
displayed (if you selected more than one group, the authorizers that are
common to all the selected groups are displayed).

70

Proprietary and Confidential of Varonis

Group Ownership

3. In the right pane, click Add.


The Authorizer Details dialog box is displayed.

4. In the Select Users area, click the Browse button to locate the relevant
authorizers. You may select more than one.
5. Click Add.
The authorizers are added to the lower pane.
6. From the Authorizer Level dialog box, select the level of the new
authorizer. You may select any level you want for the authorizer.
7. Click OK twice to close the dialog boxes.
The new authorizer is displayed in the right pane.

Adding Authorizers to Managed Groups through the Popup Menu


To add an authorizer to a managed group through the popup menu:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.

Proprietary and Confidential of Varonis

71

DataPrivilege 5.9 User Guide

2. Right-click the group.


A popup menu is displayed.
3. From the popup menu, select Authorizers.
The Add Authorizer dialog box is displayed, listing the authorizers who
are currently defined for the managed group.

4. Click Add.
The Authorizer Details dialog box is displayed.

72

Proprietary and Confidential of Varonis

Group Ownership

5. In the Select Users area, click the Browse button to locate the relevant
authorizers. You may select more than one.
6. Click Add.
The authorizers are added to the lower pane.
7. From the Authorizer Level dialog box, select the level of the new
authorizer. You may select any level you want for the authorizer.
8. Click OK twice to close the dialog boxes.
The new authorizer is displayed in the right pane.

Viewing Authorizer Details


To view the details of existing authorizers:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Click the information icon for the authorizer whose details you want to
view.
The Group Authorizer Details dialog box is displayed, showing the
details of the selected authorizer.
3. Click OK.

Removing Authorizers from Managed Groups


To remove an authorizer from a managed group:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.

Proprietary and Confidential of Varonis

73

DataPrivilege 5.9 User Guide

2. Select the checkbox of the authorizer to be removed.


3. Click Remove.
The authorizer is removed from the managed group.

Adding Authorization Rules to Groups


To add an authorization rule to a managed group:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Select the group to which you want to add an authorization rule.
3. In the right pane of the main workspace, click the Auth Rules tab.
The authorization rules currently defined for the managed group are
displayed.

4. In the right pane, click Add.


The Authorizer Rule Details dialog box is displayed.

74

Proprietary and Confidential of Varonis

Group Ownership

5. In the Rule Name field, type a name for the authorization rule to be
added.
6. Select or clear the Is Enabled checkbox to enable or disable the rule as
necessary.
7. In the Clauses area, define the expression the rule is to calculate.
a. Click Edit. The Rule Clauses dialog box is displayed.

b. From the drop-down boxes, select the required values to build the
clause.
c. To add a clause, click Add Clause. An additional row is displayed.
d. To remove an extraneous clause, click Remove. The extraneous
clause is removed.
e. When the expression is complete, click OK.
8. In the Authorizers area, click Add. The User Search dialog box is
displayed.
9. Search for the authorizers to be added.

Editing Authorization Rules for Groups


To edit existing authorization rules:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. In the right pane of the main workspace, click the Auth Rules tab.
3. Click the information icon for the rule whose details you want to view.
The Authorizer Rule Details dialog box is displayed, showing the details
of the selected rule.
4. Edit as necessary.
5. Click OK.

Removing Authorization Rules from Groups


To remove an authorization rule from a managed group:
1. In the right pane of the main workspace, click the Auth Rules tab.
Proprietary and Confidential of Varonis

75

DataPrivilege 5.9 User Guide

2. Above the Search pane, click the link to select the Groups view.
3. Select the check box of the rule to be removed.
4. Click Remove.
The authorization rule is removed from the managed group.

Adding Automatic Rules to Groups


To add an automatic rule to a managed group:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Select the groupto which you want to add an automatic rule.
3. In the right pane, click the Automatic Rules tab.
The automatic rules currently defined for the managed group are
displayed.

4. In the right pane, click Add. The Automatic Rule Details dialog box is
displayed.

76

Proprietary and Confidential of Varonis

Group Ownership

5. In the Rule Name field, type a name for the automatic rule to be added.
The name must be unique.
6. Select or clear the Is Enabled checkbox to enable or disable the rule as
necessary.
7. In the Clauses area, define the expression the rule is to calculate.
a. Click Edit. The Rule Clauses dialog box is displayed.

b. From the drop-down boxes, select the required values to build the
clause.
c. To add a clause, click Add Clause. An additional row is displayed.
d. To remove an extraneous clause, click Remove. The extraneous
clause is removed.
e. When the expression is complete, click OK.
8. In the Request Operation Type area, select the operations that the rule
can carry out if all its criteria are met. The rule is only enforced if all the
clauses and the selected operation type match. Options are:

Grant - Set the rule to only grant permissions, not to revoke them.

Grant & Revoke - Set the rule to both grant and revoke permissions as
necessary.

Revoke - Set the rule to only revoke permissions, not to grant them.

Revoke All - Set the rule to revoke all memberships, including nested
memberships. This creates an ethical wall.

9. In the Expiration Date area, set the date on which the permission is to
expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

10.In the Authorization area, set the rule to automatically approve or decline
requests as necessary.

Proprietary and Confidential of Varonis

77

DataPrivilege 5.9 User Guide

11.Select or clear the Enforce Rule checkbox as necessary, to run the rule
at a predefined interval on all the users in Active Directory who meet the
rules criteria. This option is disabled under the following conditions:

Operation Type is set to Grant & Revoke.

The authorization option is set to Decline.


Note: If this option is selected and the system is not otherwise
configured, the rule is run once every 24 hours.

12.Select the Do Not Approve Automatically checkbox as necessary, to


prevent automatic approval of any request created by this rule. The
requests remain in the Pending Authorization state.
13.Click OK.
The automatic rule is added to the managed group.

Editing Automatic Rules


To edit existing automatic rules:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. In the right pane of the main workspace, click the Automatic Rules tab.
3. Above the Search pane, click the link to select the Groups view.
4. Click the information icon for the rule whose details you want to view.
The Automatic Rule Details dialog box is displayed, showing the details
of the selected rule.
5. Edit as necessary.
6. Click OK.

Removing Automatic Rules from Managed Groups


To remove an automatic rule from a managed group:
1. In the right pane of the main workspace, click the Automatic Rules tab.
2. Above the Search pane, click the link to select the Groups view.
3. Select the check box of the rule to be removed.
4. Click Remove.
The automatic rule is removed from the managed group.

Viewing Permissions on Managed Groups


Group authorizers can view the permissions defined for the managed groups
under their responsibility.
To view permissions on managed groups:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Select the group whose permissions you want to view.
3. In the right pane, click the Permissions tab.
The permissions currently defined for the selected managed group are
displayed in the right pane.

78

Proprietary and Confidential of Varonis

Group Ownership

Viewing Event Logs and History


Group owners can access event logs and history from DatAdvantage. Users
can browse and search the event logs from all the monitored resources for a
specific day, down to the level of a single event.
To view DatAdvantage logs and history:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Select the group whose logs you want to view.
3. In the right pane of the main workspace, select the Log/History tab. The
Query pane is displayed.

4. From the Data From drop-down list, select the source of the data.
Options are:

File system events

History of differences

All

5. To set a specific range of dates whose history you want to view, set the
following:

From - Set the starting date and time for the required time period.

To - Set the ending date and time for the required time period.

6. To set the number of days relative to the current date:


a. Select the Relative option.
b. In the Last field, type the number of days you want to look back.
7. Click Configure to configure filtering, grouping and sorting options for the
data (see Generating Reports in DataPrivilege).
8. Click Run.
Proprietary and Confidential of Varonis

79

DataPrivilege 5.9 User Guide

The report is generated and displayed in the Logs screen below.

Viewing Group Statistics


Group owners can access group statistics from DatAdvantage. The Statistics
view provides detailed visualizations and activity graphs for user-defined
timeframes, users and user groups. For further information on statistics, see
DatAdvantage User Guide.
To view DatAdvantage statistics:
1. Go to the Managed Groups pane.
2. Select the group whose statistics you want to view.
3. In the right pane of the main workspace, select the Statistics tab. The
Statistics pane is displayed. By default, this pane displays statistics for
the selected group, for a period of one week prior to the current date.

4. To set a specific range of dates for which you want to view statistics, set
the following:

From - Set the starting date and time for the required time period.

To - Set the ending date and time for the required time period.

5. From the Type drop-down list, select the type of statistics you want to
view for the group. Options are:

Activity By Date - This chart for users and groups displays the activity
for a given user or group per day. Use this chart to identify overall
usage patterns, as well as days with unusual activity that require
further investigation. Access to the folder, its subfolders and files is
differentiated by color.

Folder Utilization- This chart displays the distribution of events


between subfolders and files within the current folder.

Subfolder Statistics- This chart displays the distribution of events


between subfolders within the current folder.

User Activity - This chart displays the distribution of users accessing


the folder or file under review. The color-coded pie chart displays the
percentage of events for each user. This chart is only available for
groups.

6. Click Search.

80

Proprietary and Confidential of Varonis

Group Ownership

The statistics are displayed.

7. From the Group By drop-down list, select the value by which you want to
group the statistics. Options are:

Daily

Weekly

Day of Week

Monthly

Quarterly

Yearly

8. To print the generated statistics, click Print.


9. To export the generated statistics to a file:
a. Click Export.
b. Click Save.
The Save As dialog box is displayed.
c. Save the file as required.

Synchronizing Managed Groups with Active Directory


Group owners can synchronize the state of a managed group with Active
Directory as needed. This action commits the changes they have made to
Active Directory.
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Select the group you want to synchronize with Active Directory.
A popup menu is displayed.
3. From the popup menu, select Sync. The group is synchronized with
Active Directory.

Using the Authorizer View


Viewing the Groups that are Defined for Authorizers
To view the groups that are defined for specific authorizers:
Proprietary and Confidential of Varonis

81

DataPrivilege 5.9 User Guide

1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Above the Search pane, click the link to select the Authorizers view.
3. Use the Search pane to locate the relevant authorizers.
4. Select the relevant authorizers.
The groups under the responsibility of the selected authorizers are
displayed.

Removing Authorizers from Groups


To remove authorizers from managed groups:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Above the Search pane, click the link to select the Authorizers view.
3. Use the Search pane to locate the relevant authorizers.
4. In the Authorizers pane, select the relevant authorizers.
5. Click Remove.
The authorizers are removed from the group.

Adding Managed Groups to Authorizer Responsibilities


To add a group to an authorizer's responsibilities:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.
2. Above the Search pane, click the link to select the Authorizers view.
3. Use the Search pane to locate the relevant authorizers.
4. In the Authorizers pane, select one or more authorizers. The groups
under the responsibility of the selected authorizers are displayed
in the Managed Groups pane on the right. If you select more than
one authorizer, only the groups that are common to all the selected
authorizers are displayed.
5. In the Managed Groups pane, click Add. The Add Managed Groups
dialog box is displayed.

82

Proprietary and Confidential of Varonis

Group Ownership

6. Select the required group from the list.


7. If the group you need does not appear in the list, search for it as
necessary.
8. Click OK.
The groups are added to the authorizer's responsibilities.

About Group Authorizers


Authorizers are responsible for approving or declining requests assigned to
them by the various types of owners. In addition, authorizers who possess
certain owner privileges can perform the following tasks:

Grant users permissions to managed folders

Add users to groups

Sign entitlement reviews

Authorization Levels
With DataPrivilege, multiple levels of authorization can be defined to ensure
data and entity membership are protected. An authorizer can be assigned to
any authorization level, even if the preceding levels have not been defined.

Viewing Permissions on Managed Groups


Group authorizers can view the permissions defined for the managed groups
under their responsibility.
Proprietary and Confidential of Varonis

83

DataPrivilege 5.9 User Guide

To view permissions on managed groups:


1. From the left menu bar, select Management > Group Authorizer to go
to the Group Authorizer pane.

2. Select the group whose permissions you want to view.


The permissions currently defined for the selected managed group are
displayed in the right pane.

84

Proprietary and Confidential of Varonis

6.

Administration
Administrators are IT specialists. They are responsible for defining and
managing the definitions of the following:

Other administrators

Locations

Base folders

Assigning data owners to base folders

Assigning group owners to groups

Scheduling and configuring entitlement reviews

Cancelling pending entitlement review requests

Defining Floor Support personnel

Defining permission types

Generating synchronization reports

Defining application settings

Configuring DataPrivilege

Note:
In addition, administrators may have access to the management screens
if the Allow administrators to view and edit management screens setting is
defined under Application Settings > General .

Managing Groups
Administrators may define and manage logical "locations" for groups, define
groups as managed, add group owners to groups, edit their definitions, and
remove them from their groups.
While user groups must exist in Active Directory, not all groups are managed
by DataPrivilege.
When you add a managed group to your system, the group is created in the
local domain. However, it may contain users from other domains as well as
the current domain.
When you add an existing group from outside DataPrivilege, it may be a
local group, a global group or a universal group.
DataPrivilege also supports the management of local users and groups.
Note: This feature is disabled by default and can be enabled when adding
a file server or defining credentials for file servers and root folders. For more
information, see Adding File Servers or Defining Credentials for File Servers
and Root Folders. If enabled, the local host on which the file server resides
becomes a monitored domain.

Proprietary and Confidential of Varonis

85

DataPrivilege 5.9 User Guide

Working with Group-Related Views


DataPrivilege provides two group-related views:

Groups view

Owners view
To work with a group-related view:

1. From the left menu bar, select Administration > Groups to go to the
Groups pane.

In the Groups view:

The list of managed groups is displayed in the left pane.

Select a group to display its owners on the right.

If you select multiple groups, only the owners common to all the
selected groups are displayed.

Choose the Show Only Selected option to view only the selected
groups and their owners.

In the Owners view:

The list of group owners is displayed in the left pane.

Select an owner to display the groups it owns in the right pane.

If you select multiple owners, only the groups common to all the
selected owners are displayed.

Choose the Selected Only option to view only the selected owners
and their groups.

Using the Group Search Pane


To find the groups you want to work with:
1. From the left menu bar, select Management > Group Owner to go to
the Group Owner pane.

86

Proprietary and Confidential of Varonis

Administration

2. Do one of the following:

Select a domain in which to perform the search - Select the Domain


option and then select the required domain from the drop-down list.

Select a location in which to perform the search - Select the Location


option and then select the required logical location from the drop-down
list.

3. Select the Show Unmanaged Groups option to display these groups in


the list.
4. From the drop-down list, select the required search operator. Options are:

Begins with

Ends with

Contains

That is

5. In the blank field, type the required value to find the relevant group.
If you set the filter to Begins With, type the first few letters of the group
you are searching for.
6. Click Search.
A list of groups matching the search criteria is returned.

Adding Managed Groups and Owners at Once


To add a managed group and its owner at once:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.

2. In the Groups pane, click Add Group.


The Add Groups and Owners Wizard is displayed, on the Select
Groups page.

Proprietary and Confidential of Varonis

87

DataPrivilege 5.9 User Guide

3. From the Select Location drop-down box, select the location to which the
required groups belong.
4. In the Select Groups area, click the Browse button to locate the relevant
groups. You may select more than one.
5. Click Add.
The groups are added to the lower pane.

6. To exclude groups from the data authorization process:

88

Proprietary and Confidential of Varonis

Administration

a. In the lower pane, select the relevant groups.


b. Select the Bypass group authorization checkbox for each group as
relevant. This option enables folder owners to manage direct user
members of the group if the group has a unique ACE on the folder.
If the group has a unique ACE for several folders, all relevant folder
owners can manage its members independently.
7. Click Next.
The Select Group Owners & Authorizers page of the wizard is
displayed.
Note: This page is optional. You can add managed groups without
owners if you want.

8. In the Select Owners area, click the Browse button to locate the relevant
owners. You may select more than one.
9. Click Add.
The owners are added to the lower pane.

Proprietary and Confidential of Varonis

89

DataPrivilege 5.9 User Guide

10.To add selected users as authorizers:


a. In the lower pane, select the relevant users.
b. Select the Add selected users as Authorizers checkbox for each user.
For more information, see Adding Authorizers to Managed Groups.
11.Click Next.
12.When the summary is displayed, indicating success, click Finish.

Editing Managed Groups


To edit a managed group:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.

2. In the Groups pane, select the relevant groups. You may select more
than one.
3. Click Edit Group.
90

Proprietary and Confidential of Varonis

Administration

The Edit Group Settings dialog box is displayed.

4. Set the following options for each group:

Location - From the drop-down list, select the location to which all the
groups belong

Bypass Group Authorization - Select the Bypass group authorization


checkbox for each group as relevant. This option enables folder
owners to manage direct user members of the group if the group
has a unique ACE on the folder. If the group has a unique ACE for
several folders, all relevant folder owners can manage its members
independently.

5. To remove groups from the list, select the checkboxes of the relevant
groups and click Remove.
6. Click OK.

Resetting Managed Groups


Resetting a group deletes all its owners, authorizers and rules, and resets its
location.
Note: Only group owners can reset groups.
To reset a managed group:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.

Proprietary and Confidential of Varonis

91

DataPrivilege 5.9 User Guide

2. In the Groups pane, select the relevant groups. You may select more
than one.
3. Click Reset Group.
A confirmation message is displayed.
4. Click OK.

Managing Group Locations


Adding Group Locations
To add a location:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.

2. In the Groups pane, click Manage Locations.


The Manage Locations dialog box is displayed.

92

Proprietary and Confidential of Varonis

Administration

3. Click Add Location.


The Location Details dialog box is displayed.

Proprietary and Confidential of Varonis

93

DataPrivilege 5.9 User Guide

4. Set the following:

Location Name - Type the name of the location.


Note: You may use special characters in location names. However, if
groups created by DataPrivilege are configured to include the location
name, group creation will fail if the location name includes special
characters.

Alias - Type a short name for the location, to be used in the default
naming convention for group names.

Active Directory Properties - Type the values of the Active Directory


properties that are set as this location's default selection (the list of
properties is comma-delimited). This means that when users select
the group from the Membership wizard, the location is expanded by
default.
Example:
One Active Directory property defined for MyLocation is set to QA. If
a user from the QA department goes to the Membership wizard, the
MyLocation node is automatically expanded when the user views the
group browser.

5. Click OK.
The location is added below the selected location. If no location is
selected, it is added under the root. By default, the location is added
under the root.

Moving Group Locations


Locations can easily be nested to form a hierarchical tree.
To move a location from one position to another within the hierarchy:

94

Proprietary and Confidential of Varonis

Administration

1. From the left menu bar, select Administration > Groups to go to the
Groups pane.

2. In the Groups pane, click Manage Locations.


The Manage Locations dialog box is displayed.

3. Select the locations to be moved. You may select more than one.

Proprietary and Confidential of Varonis

95

DataPrivilege 5.9 User Guide

4. Click Move.
The Move Location dialog box is displayed.

5. Select the relevant option:

Move locations to top level - Select to move the chosen locations to


the highest level of the hierarchy

Move items to the following location - From the drop-down list, expand
the hierarchy to select a new position for the chosen items

6. Click OK.
The selected locations are moved.

Removing Group Locations


If you remove a location that contains groups, the groups are moved to the
default location (which is named according to the default domain).
To remove a group location:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.

96

Proprietary and Confidential of Varonis

Administration

2. In the Groups pane, click Manage Locations.


The Manage Locations dialog box is displayed.

3. Select the locations to be removed. You may select more than one.
4. Click Remove.
The locations are removed.

Proprietary and Confidential of Varonis

97

DataPrivilege 5.9 User Guide

Adding Owners to Existing Groups


To add an owner to an existing group:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.

2. If the group for which you want to define an owner is not listed, do one of
the following to search for the relevant group (if it is listed, skip to the next
step):
a. Use the Search pane.
b. Click Add in the Groups pane to access the Group Search dialog box.
Use this option to define the owner's authorization level.
3. In the Groups pane, select the name of the group for which you want
to define an owner. Alternatively, right-click the name of the group and
select Owners from the popup menu.
The group's existing owners are displayed in the Group Owners pane
(they are displayed in a new window if you used the popup menu).

4. In the Group Owners pane, click Add. The Add Groups and Owners
wizard is displayed.
5. Search for the user you want to add as an owner.
6. Click OK to close the dialog boxes. The new group owner is displayed in
the Group Owners pane.

Adding Groups to Existing Owners


To add a group to an existing owner:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.

98

Proprietary and Confidential of Varonis

Administration

2. In the Group Owners pane, select the owner to which you want to add
groups. You may select more than one. The groups belonging to the
selected owners are displayed in the right pane (if you selected multiple
owners, only the groups common to all are displayed).
3. In the Managed Groups pane, click Add. The Groups Search dialog box
is displayed.
4. Search for the relevant groups.
The groups are added to the Managed Groups pane.

Viewing Group Details


To view the details of a group:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.
2. In the Managed Groups pane, select the group whose details you want to
view. The details are displayed in the Group Details dialog box.

3. Click OK.

Setting Groups to Bypass the Authorization Process


Administrators may choose to exclude groups from the authorization process
if necessary. This is an important option in several cases, such as:

Several groups are used to manage a folder, and one of the groups does
not have an owner. Unless the bypass option is set, users cannot request
permissions of the type this group represents.
Proprietary and Confidential of Varonis

99

DataPrivilege 5.9 User Guide

If a group without an owner is the only group used to manage a folder,


the folder is effectively not managed. Again, the bypass option enables
managing the folder.

To set a group to bypass the group authorization process:


1. From the left menu bar, select Administration > Groups to go to the
Groups pane.
2. Click the information icon of the relevant group. The Group Details dialog
box is displayed.

3. Select the Bypass Group Authorization checkbox for each group as


relevant. This option enables folder owners to manage direct user
members of the group if the group has a unique ACE on the folder. If the
group has a unique ACE for several folders, all relevant folder owners
can manage its members independently.
4. Click OK.

Viewing Group Owner Details


To view the details of a group owner:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.
2. In the Groups pane, select the relevant group.
3. In the Group Owners pane, select the group owner whose details you
want to view.
The details are displayed in the Group Owner Details dialog box.

100

Proprietary and Confidential of Varonis

Administration

4. Click OK.

Removing Group Owners


To remove an owner from a group:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.
2. In the Group Owners pane, select the group owner you want to remove.
3. Click Remove.
The owner is removed from the group and the group becomes
unmanaged.

Adding Authorizers to Groups


If the management authorization (Authorizer 0) option is enabled and the
user for whom the request was made has a manager defined in the Active
Directory, the request must be authorized by the user's manager before it is
sent to the relevant owner.
To add an authorizer to a group:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.

Proprietary and Confidential of Varonis

101

DataPrivilege 5.9 User Guide

2. If the group for which you want to define an owner is not listed, do one of
the following to search for the relevant group (if it is listed, skip to the next
step):
a. Use the Search pane.
b. Click Add in the Groups pane to access the Group Search dialog box.
Use this option to define the owner's authorization level.
3. In the Managed Groups pane, right-click the name of the group and
select Authorizers from the popup menu.
The group's existing authorizers are displayed in the Add Authorizer
dialog box.

4. Click Add.
The User Details dialog box is displayed.

102

Proprietary and Confidential of Varonis

Administration

5. Search for the relevant user.


6. From the Authorizer Level drop-down list, set the required level for the
user.
7. Click OK twice to close the dialog boxes.
The new group authorizer is displayed in the Authorizers dialog box.

Synchronizing Managed Groups with Active Directory


Administrators can synchronize the state of a managed group with Active
Directory as needed. This action commits the changes they have made to
Active Directory.
To synchronize a managed group with Active Directory:
1. From the left menu bar, select Administration > Groups to go to the
Groups pane.
2. In the Groups pane, right-click the name of the managed group you want
to synchronize with Active Directory.
A popup menu is displayed.
3. From the popup menu, select Synchronize.
The group is synchronized with Active Directory.

Managing Base Folders


Proprietary and Confidential of Varonis

103

DataPrivilege 5.9 User Guide

Base folders are storage folders that are managed by one or more data
owners. Base folders contain managed folders.

Working with Data-Related Views


DataPrivilege provides two data-related views:

Base Folders view

Data Owners view


To work with a data-related view:

1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.

2. In the Search pane, select the required view.

In the Base Folders view:

The list of base folders is displayed in the left pane.

Select a base folder to display its owners in the right pane.

If you select multiple base folders, only the owners common to all
the selected folders are displayed.

Choose the Selected Only option to view only the selected base
folders and their owners.

In the Data Owners view:

The list of data owners is displayed in the left pane.

Select an owner to display the base folders it owns in the right


pane.

If you select multiple owners, only the base folders common to all
the selected owners are displayed.

Choose the Selected Only option to view only the selected owners
and their base folders.

Adding Base Folder Locations


A location is a logical grouping of folders.
To add a location:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.

104

Proprietary and Confidential of Varonis

Administration

2. Click Add Location.


The Location Details dialog box is displayed.

3. Define the following parameters for the location:

Location Name - Type the name of the location.

Alias - Type a short name for the location, to be used in the default
naming convention for group names.

Active Directory Properties - Type the values of the Active Directory


properties that are set as this location's default selection (the list of
properties is comma-delimited). This means that when users browse
to the folder from the Permissions wizard, the location is expanded by
default.
Example:
One Active Directory property defined for MyLocation is set to QA. If
a user from the QA department goes to the Permissions wizard, the
MyLocation node is automatically expanded when the user views the
folder browser.

4. Click OK.
The new location is added below the selected location. If no location
is selected, it is added under the root. By default, the location is added
under the root.
Proprietary and Confidential of Varonis

105

DataPrivilege 5.9 User Guide

Adding Base Folders


You may create a base folder at any position in the Display Name tree, as
long as no base folder is already defined along that path.
To add a base folder:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
2. Expand the entities in the Display Name column to the position at which
you want to create the base folder.
3. Click Add Folder. The Add Base Folder wizard is displayed, on the
Select Folders page.

4. From the Select Location drop-down list, select the location in which you
want to create the folder.
5. To select the required folders:
a. Click the Browse button next to the Select Folders field. The Select
Base Folders dialog box is displayed.

106

Proprietary and Confidential of Varonis

Administration

b. At the top of the dialog box, select the type of search to be performed.
Options are:

Defined File Servers Search - Select to search only in the defined


file servers

Host Name Search - Select to search Active Directory for file


servers.

Exact Path Search - Select to search the file system for folders
under the exact path appearing in the Search text box.

c. From the filter drop-down list, select the relevant search filter.
d. In the blank field, type (or paste) the path or file server specified by the
search filter.
e. Click Search.
f. Select the checkboxes of the folders to be added as base folders.
g. Click OK.
The base folder is added and the Select Base Folders dialog box is
closed.
6. In the Add Base Folder wizard, click Add.
The folders are added to the grid in the lower pane.
Note: If you selected a folder located in a file server that is not yet
defined in DataPrivilege, the File Servers Definition dialog box is
displayed. Define the file server as necessary.

Proprietary and Confidential of Varonis

107

DataPrivilege 5.9 User Guide

The grid enables you to continue defining folders. There is one set of
definitions for each folder.
7. For each folder, define the following as relevant:

Display path - This column shows the folder's path. Select the
Allow direct permissions option if you want to enable creating direct
permission requests on the folder.

Existing groups - If the folder is new in DataPrivilege, no groups are


listed in this column. However, if groups are listed for an existing
folder, you can select unique groups that have direct permissions on
the folder.

New permissions - In the New Permissions column, select the


permissions to be granted to the new group. If preferred, change the
default name of the group.
Note: Due to a Microsoft limitation, group names must contain
fewer than 64 characters. DataPrivilege may be configured to use a
descriptive naming convention for groups that is based on location
+ folder name + permissions, which may result in a group name that
exceeds this limit.

Exclude from authorization - Select this option to exclude the folder


from data authorization.

8. Click Next.
The Select Data Owners page is displayed.

108

Proprietary and Confidential of Varonis

Administration

9. In the Owners column, click Add and search for the required owners. You
may select more than one.
10.In the Authorizers column, click Add and search for the required
authorizers. You may select more than one.
The owners and authorizers are added.

Proprietary and Confidential of Varonis

109

DataPrivilege 5.9 User Guide

11.Click Next.
12.When the summary is displayed, indicating success, click Finish.

Adding Base Folders to Data Owners


To add a base folder in the Data Owners view:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
2. Above the Search pane, click the link to select the Data Owners view.
3. Select the base folder owner to which you want to add a base folder.
4. In the Base Folders pane, click Add Folder.
The Select Base Folders dialog box is displayed.

5. Search for the required folder.


6. Click OK.
The base folder is added to the data owner.

Editing Base Folders


To edit a base folder:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
2. In the Base Folders pane, select the base folder to be edited.
3. Click Edit.
The Edit Folders dialog box is displayed.

110

Proprietary and Confidential of Varonis

Administration

4. Edit the base folder's details.


5. Select the following additional options as relevant (options that are not
available are not displayed):

Make all selected existing groups bypass - Select this option to


exclude existing groups from a second authorization cycle.

Make Protected - If you select this option, the folder no longer inherits
permissions from its parent.

Copy Permissions - If you set the folder to Make Protected, select this
option to copy the parent folder's permissions to this folder. If you do
not select this option, then only the unique permissions remain on the
folder.

Allow Direct Permission Requests - Select this option if you want to


enable creating direct permission requests on the folder.

6. Click OK.

Adding File Servers on the Fly


If you define a folder located in a file server that is not yet defined in
DataPrivilege, you can define the file server at the same time as the folder.
To add a base folder:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
2. Click Add Folder.
The Add Base Folder wizard is displayed, on the Select Folders page.

Proprietary and Confidential of Varonis

111

DataPrivilege 5.9 User Guide

3. Define the following:

Select Location - From the drop-down list, select the location in which
you want to create the folder.

Select Folders - Click the Browse button to select the required


folders.

4. Click Add.
If you have selected a folder located on a file server that is not yet
defined in DataPrivilege, the File Servers Definition dialog box is
displayed.

112

Proprietary and Confidential of Varonis

Administration

5. Type the credentials for each file server:

User Name

Password

6. Click OK.
The file server is defined in DataPrivilege.

Moving Base Folders


To move a base folder to a different location:
If you define a folder located on a file server that is not yet defined in
DataPrivilege, you can define the file server at the same time as the folder.
To add a base folder:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
2. Expand the Display Name column to the base folder you want to move.
3. Select the base folder and click Move.
The Move Folder/ Location dialog box is displayed.

Proprietary and Confidential of Varonis

113

DataPrivilege 5.9 User Guide

4. From the drop-down list, select the location to which you want to move
the base folder.
5. Click OK.

Removing Base Folders


To remove a base folder:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
2. Expand the Display Name column to the base folder you want to remove.
3. Click Remove.

About Adding Data Owners


Data owners can be added in both the Base Folders view and the Data
Owners view.

Adding Data Owners in the Base Folders View


To add a data owner to a base folder in the Base Folders view:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
2. Expand the Display Name column to the base folder to which you want to
add a data owner.
3. In the Data Owners pane on the right, click Add.
The Users Search dialog box is displayed.
4. Search for the required users.
5. Click OK.

114

Proprietary and Confidential of Varonis

Administration

Adding Data Owners in the Data Owners View


To add a data owner in the Data Owners view:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
2. Click Add.
The Add Folder wizard is displayed.
3. Continue as described in Adding Base Folders in the Base Folder View.

Viewing Data Owner Details


To view data owner details:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
2. Expand the Display Name column to the base folder from which you want
to remove a data owner.
3. In the Data Owners pane on the right, click the information icon of the
data owner whose details you want to view.
The Folder Owner Details dialog box is displayed.

Removing Data Owners from Base Folders


To remove a data owner from a base folder:
1. From the left menu bar, select Administration > Base Folders to go to
the Base Folders pane.
2. Expand the Display Name column to the base folder from which you want
to remove a data owner.
3. In the Data Owners pane on the right, select the data owners to be
removed.
4. Click Remove.
The data owners are removed from the base folder.

Proprietary and Confidential of Varonis

115

DataPrivilege 5.9 User Guide

Managing Entitlement Reviews


DataPrivilege ensures data owners and group owners review user
entitlement according to a defined schedule. The Entitlement Review
window lists all the members and permissions on managed objects, and
allows owners to decide to keep or remove any of the listed members
or permissions. A signing mechanism provides for full auditing of the
entitlement review process.
The relevant owner or authorizer must approve or decline each folder
relation or ACE for the managed object, and then sign the request.

Scheduling Entitlement Review Rules for Folder or Groups


You can configure and schedule rules that automatically create entitlement
reviews on folders and groups, according to the scope you define for these
entities.
DataPrivilege provides one predefined default rule for folders and another for
groups. These predefined rules schedule entitlement reviews for entities that
are not included in any other rule, or that are included in disabled rules. You
cannot edit or delete predefined rules.
To create entitlement review rules for folders and groups:
1. From the left menu bar, select Administration > Entitlement Review to
go to the Entitlement Review pane.
The Entitlement Review Administration pane is displayed in the main
workspace.

2. Select either the Folder Scheduling tab or the Group Scheduling tab as
necessary.
3. Click Add.
The Entitlement Review Details window is displayed.

116

Proprietary and Confidential of Varonis

Administration

4. In the Rule Name field, type a name for the rule.


5. Select or clear the Is Enabled check box to enable or disable the rule as
necessary.
Note: If you disable a predefined rule, no entitlement review requests will
be created for the entities included in the predefined rule.
6. On the Scope tab, define the expression the rule will calculate:
a. To add a clause, click Add below the filter type you are adding. You
may define as many clauses as you like, for any of the filters. You do
not need to define a clause for every filter type.

For folders:

Folders

Owners

Domains

Locations

File Servers

For groups:

Groups

Owners

Domains

Locations

OUs

b. From the drop-down boxes, select the required values to build the
clause.
c. Click Add to add additional clauses to that filter type as necessary.
Clauses are added with an OR relationship.

Proprietary and Confidential of Varonis

117

DataPrivilege 5.9 User Guide

7. On the Scheduling tab, define a schedule according to which the rule will
run and create entitlement review requests.
a. In the Schedule Details area, set the time interval at which the request
is to be sent.
b. In the Start and End Dates area, specify the date on which the
schedule is to begin, and optionally, to end.
c. Click Save.
8. To view the entities that will be returned by the rule, click Calculate.
The Calculation Results window is displayed.

9. To run the rule immediately, click Run Now.


A confirmation message is displayed.
10.Click OK to create entitlement review requests for the results returned by
the rule.
11.Otherwise, click Save to run the rule according to the defined schedule.

Setting Exceptions to the Entitlement Request


To set exceptions to the entitlement request:
1. From the left menu bar, select Administration > Entitlement Review to
go to the Entitlement Review pane.
2. Select the Configuration tab.

118

Proprietary and Confidential of Varonis

Administration

3. In the Default Behavior area, set the default behavior for all objects in the
system. Options are:

Receive recommendations - Select if you want all DataPrivilege


objects to receive recommendations from IDU Analytics.
Note: This option is only available if the synchronization service is
installed.

Require entitlement review

If selected, entitlement review requests are not created for entities


added to the exceptions list.

If not selected, entitlement review requests are created only for


entities added to the exceptions list.

4. In the Review Capabilities area, select the options you require to


determine whether owners and administrators can make decisions about
users belonging to groups managed by others. Options are:

Allow owner to request removal of group membership on groups


managed by others. By default, this option is not selected.

Allow administrator to automatically approve revocation of


permissions, including for entities owned by others. By default, this
option is not selected. Furthermore, it is only available if the first option
is selected.

5. In the Exceptions area, define exceptions to the rules and review


capabilities as follows:
a. For each object in the exceptions list, select any of the exceptions to
the default rules:

Enable recommendations

Require review

Enable requests from other owners


Proprietary and Confidential of Varonis

119

DataPrivilege 5.9 User Guide

b. To add a group to the exceptions list, click Add Group and search for
the required group.
c. To add a folder to the exceptions lists, click Add Folder and search
for the required folder.
d. Select the preferred number of rows to be displayed from the No. of
Rows drop-down list.
e. To export the list of exceptions to a CSV file, click Export and save
the file as required.
f. To import a saved list of exceptions from a CSV file, click Import and
select the required file. The file must have the following structure:
ObjectName,EnableRecommendations,RequireReview,
EnableRequestsFromOtherOwners
6. In the Reset External Change Indicators area, click the button to reset the
indication on objects that were added outside DataPrivilege.

Objects that are added as managed after the data is reset are marked
as Added outside DataPrivilege.

The first time an object is added to DataPrivilege as managed (or


as bypassed), it is assumed all its members and permissions are
already approved. Therefore, only changes made to the managed
group after it is added to DataPrivilege are marked as "added outside
DataPrivilege". This includes references to the members of a group
that was added as managed (or as bypassed) to a new base or
managed folder.

This indicator can be set uniquely on individual folders as necessary.

7. In the Signing Method area, select the type of signature each owner must
provide for the entitlement reviews he or she performs:

Require text confirmation - In the Entitlement Review dialog box, the


owner must enter the word "Verify" in the signature field (or whatever
textual confirmation was configured in Application Settings).

Require domain password - In the Entitlement Review dialog box, the


owner must enter his or her domain password.

8. In the Default View Options area, select the following options as relevant:

Hide objects that cannot be changed - This option hides all rows that
cannot be changed (i.e., objects that are disabled) in the entitlement
review.

Do not review members of unmanaged or unmonitored groups - This


option hides all the members of groups that are not managed (or set
as bypass) on the folder being reviewed.

Do not review unmanaged permissions - This option hides all


unmanaged permission on a folder.

9. Click Save.

Cancelling Pending Entitlement Review Requests


Administrators can cancel entitlement review requests that are pending for
folder owners and group owners.
IMPORTANT:

120

Pending entitlement review requests can only be cancelled by an


administrator.

Proprietary and Confidential of Varonis

Administration

If a folder or group owner opens an entitlement review request during its


cancellation by the administrator, the owner will not be able to sign the
entitlement review.

To cancel pending entitlement review requests:


1. From the left menu bar, select Summary.
The summary of the requests you have made in the past ten days is
displayed in the main workspace.

Note: You can also view and cancel pending entitlement review requests
by using the Simple or Advanced Search.
2.

In the Waiting for My Review section, click the


icon on the left of the
information icon for each pending entitlement review request that you
want to cancel.
A confirmation message is displayed.

3. Click OK.
The pending entitlement review request is cancelled.

Proprietary and Confidential of Varonis

121

7.

Advanced Administration
Advanced administration of DataPrivilege includes the following tasks:

Managing administrators and Floor Support personnel

Configuring domains

Editing and customizing permission types

Managing file servers

Managing Administrators and Floor Support


As an administrator, you can add administrator rights to other users and
groups, remove such rights, and view the details of other users and groups.
You can also add users and groups to the Floor Support role.

Adding Users and Groups to Roles


To add a user or group to a role:
1. From the left menu bar, select Advanced Administration > User Roles
to go to the User Roles pane.

2. In the User Roles pane, click Add.


The User Search dialog box is displayed.

Proprietary and Confidential of Varonis

123

DataPrivilege 5.9 User Guide

3. Search for the user or group you want to define.


4. Click Add.
The user or group is added to the Display Name pane.

124

Proprietary and Confidential of Varonis

Advanced Administration

5. From the User Roles area, select the role to which you want to add the
user or group. Options are:

System Administrator

Allow Assigning New User Roles - Check this box to allow the
System Administrator to assign new System Adminstrators or Floor
Support and new data and group owners. If this box is clear, then
the System Administrator will not have the ability to manage roles
and will not see the Advanced Administration > User Roles
pane.

Floor Support

6. Click OK.

Editing User Roles


You may edit existing user roles and change their capabilities.
To edit user roles:
1. Go to Advanced Administration > User Roles .

2.

Click the
edit.

icon next to the name of the user whose role you want to

Proprietary and Confidential of Varonis

125

DataPrivilege 5.9 User Guide

3. Edit as necessary.
4. Click OK.

Viewing User or Group Details


To view the details of a user or group:
1. From the left menu bar, select Advanced Administration > User Roles
to go to the User Roles pane.
2. In the User Roles pane, select the user or group whose details you want
to view.
3. Click the information icon for the user or group.
The User Roles Details dialog box is displayed, showing information
about the selected user or group.

4. If necessary, change the role of the user or group.


5. Click OK.

Removing Users and Groups from Roles


To remove a user or group from a role:
1. From the left menu bar, select Advanced Administration > User Roles
to go to the User Roles pane.
2. Select the user or group to be removed.
You may select more than one.
3. Click Remove.
The entity is removed from the role, and the entity's rights revert to those
of a regular entity.

Managing Permission Types


126

Proprietary and Confidential of Varonis

Advanced Administration

Administrators are responsible for managing permission types. This


includes:

Editing standard predefined permission types

Creating custom masks and flags for permission types that are created
outside DataPrivilege

Editing Predefined Permission Types


To edit a predefined permission type:
1. From the left menu bar, select Advanced Administration > Permission
Types to go to the Permission Types pane.

2. Click the name of the permission type, or click its information icon.
The Permission Type Details dialog box is displayed.

3. In the Permission Type Name field, edit the name of the permission type
as relevant.
4. In the Alias field, type a short name to be used for the permission type
when it is used in a new permission on a base or managed folder.
5. Select the following options as necessary:

Is Monitored - Set whether the permission type is to be monitored.

Allow new groups to be created with this permission type - Set


whether the new permission type is available for new groups.

Proprietary and Confidential of Varonis

127

DataPrivilege 5.9 User Guide

Visible - Set whether the permission type is visible to users.

6. Click OK.

Customizing Permission Types


You can customize permission types that are defined outside of
DataPrivilege, so that they become manageable by DataPrivilege. This
means DataPrivilege can monitor them and commit them to the file system.
Customization of a permission type includes:

Defining a mask

Determining the entities to which the customized permission type will be


applied
For a list of possible custom masks, see Customized Permission Masks.
To customize permission types defined outside DataPrivilege:

1. From the left menu bar, select Advanced Administration > Permission
Types to go to the Permission Types pane.

2. Click Add.
The Permission Type Details dialog box is displayed.

128

Proprietary and Confidential of Varonis

Advanced Administration

3. In the Permission Type Name field, edit the name of the permission type
as relevant.
4. In the Alias field, type a short name for the permission type when it is
used in a new permission on a base or managed folder.
5. Do one of the following to set the mask:

Select one or more of the standard permissions from the Permissions


list on the left. Notice that this selection populates the Mask value
field.

To use a non-standard (i.e., special) permission, type the required


mask value. To identify the mask value:
1. Ensure a folder having the relevant special permissions is
managed in DataPrivilege.
2. In the Managed Folders pane ( Management > Folder Owner ),
select the folder and then select the Permissions tab.
3. Hover the mouse over the relevant special permission (indicated
by the letter "S"). The mask value of the special permission is
displayed in a ToolTip.

4. Type this value in the Mask value field of the Permission Type
dialog box.

Proprietary and Confidential of Varonis

129

DataPrivilege 5.9 User Guide

Notice the Special checkbox in the Permissions list is selected,


even though it is disabled.
Note: If you enter a mask that is invalid, DataPrivilege
automatically sets the closest common mask.
6. From the Apply to drop-down list, select the entity types to which this
permission type can be applied.
7. Select the following options as necessary:

Is Monitored - Set whether the permission type is to be monitored.

Can be committed to file system - Set whether the permission type


can be committed to the file system.

Visible - Set whether the permission type is visible to users.

8. Click OK.
The customized permission type is added to the Permission Types list.

Configuring Domains in the System

130

Proprietary and Confidential of Varonis

Advanced Administration

DataPrivilege supports the configuration of multiple domains, so that users


from one domain (the trusted domain) can access services in another
domain (a trusting domain).
To enable configuration of domains and trusts, the relevant domains may
either exist in the database or be discovered by the system.
To add trusts correctly, you must supply valid credentials.

Adding Trusted Domains to the System Configuration


To add trusted domains to your system's configuration:
1. From the left menu bar, select Advanced Administration > Domain
Configuration to go to the Domains pane.

2. Click Scan.
The Domain Synchronization dialog box is displayed.

Proprietary and Confidential of Varonis

131

DataPrivilege 5.9 User Guide

3. Click the information icon of the relevant domain.


The Domain Details dialog box is displayed.

This dialog box provides the following information:

NetBIOS Name - The domain's NetBIOS name.

Domain Name - The fully qualified domain name.

Domain Controller - A domain controller name found for the domain.

Active Directory Search User - The credentials used by the searcher


server to obtain Active Directory users, groups and their attributes.
Enter the following details for the Active Directory Search User:

132

Domain\User name - Be sure to enter in this format.

Password

Active Directory Commit User - The credentials used for Active


Directory modification operations, such as creation of groups, addition
of members, and so on.

If this user has the same credentials as the Active Directory search
user, select the Same as searcher credentials checkbox.

If it has different credentials, enter its user name and password as


described above.

Base OU - Click the browse button to select the base OU in which


all the domain's entities are to be created. A base OU may be

Proprietary and Confidential of Varonis

Advanced Administration

selected for each domain monitored by DataPrivilege. If no base OU is


selected, DataPrivilege cannot create new groups.

Is Monitored - Select this option if the domain is to be monitored.


This option enables you to select a subset of the trusted domains for
management. The default domain is always monitored.

Domains trusted by this domain - A read-only list of outgoing trusts.

Domains that trust this domain - A read-only list of incoming trusts.

4. Click OK.
The Domain Synchronization dialog box is displayed again.

5. Select the checkboxes of the domains to be added to the configuration.


6. Click Save.

Editing Domain Details


To edit domain details:
1. From the left menu bar, select Advanced Administration > Domain
Configuration to go to the Domains pane.
2. In the Domains pane, locate the relevant domain.
3. Click its information icon.
The Domain Details dialog box is displayed.

Proprietary and Confidential of Varonis

133

DataPrivilege 5.9 User Guide

4. Edit the domain's details as necessary.


5. Click OK.

Monitoring Domains
Administrators can select a subset of the trusted domains to be managed by
DataPrivilege.
Note: If required, unmonitored domains can be synchronized with
DatAdvantage. Set Synchronize unmonitored domains under Application
Settings > Domain .
To monitor domains:
1. From the left menu bar, select Advanced Administration > Domain
Configuration to go to the Domains pane.
2. In the Domains pane, locate the relevant domain.
3. Click its information icon.
The Domain Details dialog box is displayed.
4. Select the Is Monitored checkbox.
5. Click OK.
The domain is set to be monitored by DataPrivilege.

134

Proprietary and Confidential of Varonis

Advanced Administration

Disabling Domains
If a domain resides in the database but is not set to be monitored by
DataPrivilege, it is disabled. Disabled domains cannot be the target of
requests or any other operation.
To disable a domain:
1. From the left menu bar, select Advanced Administration > Domain
Configuration to go to the Domains pane.
2. In the Domains pane, locate the relevant domain.
3. Click its information icon.
The Domain Details dialog box is displayed.
4. Clear the Is Monitored checkbox.
5. Click OK.

Removing Domains from the Database


If you remove a domain, all ownership and authorization assignments and
rules will be deleted from the database. This includes assignments and
rules for the domain's groups, as well as folders on file servers related to the
domain. DatAdvantage ownership assignments will also be deleted.
To remove a domain:
1. From the left menu bar, select Advanced Administration > Domain
Configuration to go to the Domains pane.
2. In the Domains pane, locate the relevant domain.
3. Select its checkbox.
4. Click Remove.
The domain is removed from the database.

Managing File Servers


With DataPrivilege, administrators can add file servers to the system as
necessary.

Searching for File Servers


To search for a file server:
1. From the left menu bar, select Advanced Administration > File Server
Definition to go to the File Servers pane.

This pane provides the following information for each file server:
Proprietary and Confidential of Varonis

135

DataPrivilege 5.9 User Guide

Host Name - The name of the machine on which the file server
resides.

User Name - The name of the user having permissions on the file
server to search for folders and modify their permissions.

Domain Name - The name of the domain in which the file server
resides.

Commit Host - The name of the Commit engine defined for the file
server.
Note: For better performance, DataPrivilege enables the definition of
multiple Commit engines. See IDU Suite Installation Guide.

2. In the Search box, enter all or part of the host name you want to search
for.
3. Click Search, or select the required host from the list of results.

Adding File Servers


To add a file server:
1. From the left menu bar, select Advanced Administration > File Server
Definition to go to the File Servers pane.

2. Click Add.
The File Server Details dialog box is displayed.

3. Define the following attributes for the file server:

136

Proprietary and Confidential of Varonis

Advanced Administration

Select Host Name - Click the Browse button to select the name of the
host on which the relevant file server resides.

User Name - Type the name of the relevant user account, in the
format domain\user name.

Password - Type the password of the relevant user account.

Commit Host - From the drop-down list, select the name of the commit
host you want to define for the file server.

Affiliated domain - If you want DataPrivilege to detect the file server's


domain for you, leave this set to Automatic. If DataPrivilege cannot
detect the domain, you can manually select the domain from the dropdown list. Only monitored domains are shown in the drop-down list.

Base OU - The base OU in which all the domain's entities are to be


created. Select the relevant option:

Inherited from domain - Use the domain's default OU.

Uniquely defined - Choose a different OU from those defined in the


file server's domain.

Local Groups Management - Select the relevant option to enable or


disable the management of local users and groups. If you choose
to enable this option, the local host on which the file server resides
becomes a monitored domain.

4. Click OK.

Removing File Servers


A file server can only be removed if no share is defined for it.
If you remove a file server, all ownership and authorization assignments
and rules will be deleted from the database. DatAdvantage ownership
assignments will also be deleted.
To remove a file server:
1. From the left menu bar, select Advanced Administration > File Server
Definition to go to the File Servers pane.
2. In the File Servers pane, select the checkbox of the file server to be
removed.
3. Click Remove.

Defining Credentials for File Servers and Root Folders


Administrators can define separate credentials for any file server or root
folder.
To define credentials for file servers or root folder:
1. From the left menu bar, select Advanced Administration > File Server
Definition to go to the File Servers pane.
2. In the File Servers pane, locate the relevant file server or root folder.

Proprietary and Confidential of Varonis

137

DataPrivilege 5.9 User Guide

3. Click the name of the file server or root folder, or click its information icon.
The File Server Details dialog box is displayed.

4. Define the following attributes for the file server or root folder:

Select Host Name - Read-only. Indicates the name of the host on


which the file server or root folder resides.

User Name - Type the name of the relevant user account, in the
format domain\user name.

Password - Type the password of the relevant user account.

Commit Host - From the drop-down list, select the name of the commit
host you want to define for the file server.

Base OU - The base OU in which all the domain's entities are to be


created. Select the relevant option:

Inherited from domain - Use the domain's default OU.

Uniquely defined - Choose a different OU from those defined in the


file server's domain.

Local Groups Management - Select the relevant option to enable or


disable the management of local users and groups. If you choose
to enable this option, the local host on which the file server resides
becomes a monitored domain.

5. Click OK.

138

Proprietary and Confidential of Varonis

Advanced Administration

Migrating File Servers


Administrators can migrate a file server's scheme, permissions and
credentials to a new machine by changing the file server's name.
Note: The following restrictions apply to migrating a file server:

The file servers must have identical metadata (schemes, permissions,


users, and credentials).

Only the metadata of the source file server is migrated.

The migration will delete any existing metadata on the target file server.

Only one file server can be migrated at a time.

The source and target file servers must be within the same domain.

If the source file server exists in DatAdvantage, it must be removed


before performing the migration. Otherwise, the nightly synchronization
process will override all migrated data.

Folders that are defined in DataPrivilege on the source file server must
be defined on the target file server. Otherwise they will be marked as
deleted.

The migration cannot take place while a commit transaction is running.

Before migrating the file server on DataPrivilege, it is recommended to clean


up the source machine. Then migrate the data and structure of the source
file server to the target file server without making any changes.
To migrate the file server on DataPrivilege:
1. From the left menu bar, select Advanced Administration > File Server
Definition to go to the File Servers pane.
2. In the File Servers pane, locate the relevant file server or root folder.

3. Click Migrate File Server.


The File Server Migration dialog box is displayed.

Proprietary and Confidential of Varonis

139

DataPrivilege 5.9 User Guide

4. Click the name of the file server or root folder, or click its information icon.
5. Define the following attributes for the file server migration path:

In the To field, click the Browse button to select the host/folder name
to which you want to migrate the source file server.

From the drop-down list, select the name of the Commit Host you
want to define for the target file server.

Select the checkbox to confirm that the file servers have identical
schemes.

6. Click OK.
The file server table is updated with the name of the target file server.

Managing Excluded Groups


The Excluded Groups screen enables hiding selected groups. If a group is
hidden, no request can be made on it and it does not appear on any userfacing screen.
It is important to remember that excluded groups cannot be managed, and
entities related to them also become unmanaged.
Only administrators may manage the list of excluded groups.

Adding Groups to the Exclusion List


To add entities to the exclusion list:
1. From the left menu bar, select Advanced Administration > Excluded
Groups to go to the Excluded Groups pane.

140

Proprietary and Confidential of Varonis

Advanced Administration

Removing Groups from the Exclusion List


If you remove a group from the exclusion list, it becomes monitored once
again after the FileWalk and ADWalk jobs are run. However, its data is not
restored; that is, its owners, authorizers, rules, etc., must all be redefined.
To remove a group from the exclusion list:
1. From the left menu bar, select Advanced Administration > Excluded
Groups to go to the Excluded Groups pane.
2. Select the checkboxes of the entities you want to remove from the
exclusion list.
3. Click Remove.

Removing Definitions of Undetected Folders


The Undetected Folders screen lists folders that were not found during the
last nightly synchronization process, which means they were not detected
in the file system for one reason or another. However, all the information
defined for them remains in DataPrivilege until they are explicitly selected for
removal. This information includes owner and authorizer definitions, rules,
and so on.
Note: To enable listing deleted folders on this screen, the Remove folders
from DataPrivilege that were not found in the last nightly synchronization
configuration key must be set to Mark the folder as removed in the file
system, but leave its definitions in DataPrivilege. If it is set to Remove the
folder and all its definitions from DataPrivilege, the folders are removed from
DataPrivilege as soon as the nightly synchronization process fails to find
them, and they are not listed here.
To remove undetected folders from DataPrivilege:
1. From the left menu bar, select Advanced Administration > Undetected
Folders to go to the Undetected Folders pane.

Proprietary and Confidential of Varonis

141

DataPrivilege 5.9 User Guide

2. Select the checkboxes of the folders to be removed.


3. Click Remove.

142

Proprietary and Confidential of Varonis

8.

Authorization
Authorizers are responsible for approving or declining requests assigned to
them by the various types of owners. In addition, authorizers who possess
certain owner privileges can perform the following tasks:

Grant users permissions to managed folders

Add users to groups

Sign entitlement reviews

When data authorizers approve or decline requests, only those groups to


which a user can be assigned are displayed.
Authorization Levels
With DataPrivilege, multiple levels of authorization can be defined to ensure
data and entity membership are protected. An authorizer can be assigned to
any authorization level, even if the preceding levels have not been defined.

Approving or Declining Requests


There are several methods by which owners and authorizers can see
requests:

Through the Pending Requests menu.

By filling out the form in the notification email and returning it

Through the Summary menu

Approving or Declining Requests through the Pending Requests Menu


To approve or deny a request through the pending requests menu:
1. Search for the relevant request.
The requests matching your search criteria are displayed in the My
Pending Requests or My Pending Requests To Auth pane, as relevant.

2. Click the information icon for the relevant request.


The Request Details dialog box is displayed.

Proprietary and Confidential of Varonis

143

DataPrivilege 5.9 User Guide

3. In the Permissions for Folder area, select the relevant option:

Membership to - To make the request a membership request, select


the group with the required permissions from the Membership to
drop-down list.

Direct - To make the request a direct permission request (that is, to


give the user permission on only this folder with this request), select
the type of permission to be granted to the user from the Direct dropdown list. If you make this a direct permission request, the request
type is changed to Direct Permission in the Summary pane.

Note: If the Allow Requesting Direct Permissions option is not set for
the folder, this dialog box does not display the Membership to and Direct
options (see Adding Base Folders).
4. Set the expiration date of the requested permission as relevant:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

5. In the Authorization area, select the relevant option:

Approve

Decline

6. In the Explanation field, type the reason for your decision.


7. Click OK to commit the changes you have made.
The changes take effect in the database, the file system and Active
Directory.

144

Proprietary and Confidential of Varonis

Authorization

Approving or Declining Requests through Email


If you want, you can approve or decline requests directly in the notification
you receive regarding the request.
To approve or decline a request through email:
1. In the email, click Reply.
2. Type the letter 'X' between the brackets next to your choice.
3. In the Reason section, type a reason for your decision.
Caution: Be sure to only select the required option and type a reason.
Do not make any other change to the email.
4. Send the email.

Viewing and Approving Authorization Summaries


Proprietary and Confidential of Varonis

145

DataPrivilege 5.9 User Guide

To view a summary of the authorizations for which you are responsible:


1. From the left menu bar, select Summary.
The summary of the requests you have made in the past ten days is
displayed in the main workspace. It comprises three sections:

My Requests - The requests you created for yourself, or that were


created on your behalf

Requests Waiting for My Approval - Requests assigned to you for


approval

Waiting for My Review - Requests assigned to you for entitlement


review

2. Click the information icon for the relevant request.


The request's details are displayed.

146

Proprietary and Confidential of Varonis

Authorization

3. If the request is still pending, you may edit its expiration date. In the
Expiration Date area, set the relevant date. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

4. In the Authorization area, select Approve or Decline as required.


5. Click OK.

Approving Multiple Requests


To approve multiple requests at once:
1. From the left menu bar, select Summary.

2. In the Reqests waiting for my approval section, select the check boxes of
the requests you want to handle.
3. Click Approve/Decline.
The Pending Request Selection dialog box is displayed.

Proprietary and Confidential of Varonis

147

DataPrivilege 5.9 User Guide

4. To remove a request that was mistakenly added to this list:


a. Select the request to be removed.
b. Click Remove.
5. Type an explanation for your decision regarding these requests.
6. Select Approve or Decline as required.
7. Click OK.
Your decision and the reason for it are applied to all the requests in the
list.

About Performing Entitlement Reviews


Owners and authorizers are responsible for periodically reviewing user
entitlement to their managed folders and groups. The Entitlement Review
dialog box lists all the members and permissions on managed objects, and
allows owners to decide to keep or remove any of the listed members or
permissions.

Performing Entitlement Reviews on Folders


When you perform an entitlement review on a folder, you can view
permissions on the folder according to the user or group having permission,
or according to the file system. Two modes are available:

148

Simple - Displays an aggregate of the user's or group's permissions on


the folder. For example, if a user has Read permissions and belongs to
a group that has Write permissions, the user's aggregated permission
Modify.

Advanced - Displays one of the following, according to the view you


select:

Users' effective permissions - The aggregate of the user's or group's


permissions on the folder

File system permissions - A list of all the entities (users or groups)


having permission to the folder

Proprietary and Confidential of Varonis

Authorization

Note: These options may be hidden by configuration.

Reviewing Entitlement to Folders in Simple Mode


To review entitlement to folders:
1. Go to the Summary, or search for the relevant entitlement review.
2. Click the information icon for the relevant entitlement review request.
The Request Details dialog box is displayed.

In Simple mode, this dialog box provides the following information about
the users and groups that are related to the folder:

Folder Name - The name of the folder being reviewed.

Full Name - The full path of the folder being reviewed.

Status - Shows either changes outside DataPrivilege (since the last


review) or recommendations for removal made by IDU Analytics. No
status icon is displayed for the members of groups managed by other
owners (including the recommended for removal and added externally
to DataPrivilege icons).

User - Users and groups having a relation to the folder. (If any group
in this list is managed, it appears with an underline. Click the group
name to open a dialog box with an entitlement review request for that
group.)

Permission - An aggregate of the user's or group's permissions on the


folder. For example, if a user has Read permissions and belongs to a
group that has Write permissions, the user's aggregated permission is
Modify.

Decision and Explanation - Options allowing the reviewer to keep or


remove the relation to the folder, along with an explanation for the
decision (the explanation is mandatory).
Proprietary and Confidential of Varonis

149

DataPrivilege 5.9 User Guide

By default, all relations that originate outside DataPrivilege (that is,


without a permission or membership request) are recommended
for removal. All other relations are recommended to be kept.

If the decision buttons are disabled or the explanation is too long to


be viewed, hover the mouse over the question mark icon for more
information. The buttons may be disabled for one of the following
reasons:

The user is a member of a group that is owned by someone


else and his membership cannot be revoked.

The user is a member of an unmanaged group and his


membership cannot be revoked.

Expiration Date - Indicates the date on which the membership is set to


expire. For instructions on editing this, see Changing the Permission
Expiration Date.

Reason - The reason for the entitlement review request (optional).

Authorizers - All the folder's authorizers.

Signature - The signature of the owner or authorizer that made the


decision regarding entitlement.

3. To review only objects that have changed since your last review, select
this option at the top of the dialog box.
4. Review the details of each relation.
5. For each relation, select Keep or Remove. If you choose to remove the
relation, you must enter an explanation in the Explanation field.
6. In the Reason field, enter a reason for the entitlement review.
7. If you approve, sign the entitlement review according to the signature
method that is provided, and click Sign.

Reviewing Entitlement to Folders in Advanced Mode


Advanced mode enables you to review entitlement by both user/group and
by folder.
To review entitlement to folders in Advanced mode:
1. Go to the Summary, or search for the relevant entitlement review.
2. Click the information icon for the relevant entitlement review request.
The Request Details dialog box is displayed.

150

Proprietary and Confidential of Varonis

Authorization

3. Click Advanced.
The Advanced dialog box is displayed.

In Advanced mode, this dialog box provides the following information


about the users that are related to the folder:

Folder Name - The name of the folder being reviewed.

Full Name - The full path of the folder being reviewed.

Proprietary and Confidential of Varonis

151

DataPrivilege 5.9 User Guide

View - The focus of the content displayed in the dialog box. Options
are:

Users' effective permissions - Select to view a list of the users


related to the folder according to an aggregate of the users'
permissions. In addition to the other fields described below, this
view displays the following information:

User - The names of the users having a relation with the folder.

Group - Indicates how the user gained access.

Direct Permission - The user was granted direct permission


to the entity

<Group name> - The name of the group through which the


user gained access

Multiple Inheritance - The user is a member of more than


one group through which access was inherited. (Click the
information icon to perform an entitlement review of the
various groups of which the user is a member.

File system permissions - Select to view a simple list of users and


groups having permissions on the folder. In addition to the other
fields described below, this view displays the following information:

User/Group - The user or group having permissions on the


folder.

Status - Shows either changes outside DataPrivilege (since the last


review) or recommendations for removal made by IDU Analytics. No
status icon is displayed for the members of groups managed by other
owners (including the recommended for removal and added externally
to DataPrivilege icons).

Decision and Explanation - Options allowing the reviewer to keep or


remove the relation to the entity, along with an explanation for the
decision (the explanation is mandatory).

By default, all relations that originate outside DataPrivilege (that is,


without a permission or membership request) are recommended
for removal. All other relations are recommended to keep.

If the decision buttons are disabled or the explanation is too long to


be viewed, hover the mouse over the question mark icon for more
information. The buttons may be disabled for one of the following
reasons:

The user is a member of a group that is owned by someone


else and his membership cannot be revoked.

The user is a member of an unmanaged group and his


membership cannot be revoked.

Expiration Date - Indicates the date on which the membership is set to


expire. For instructions on editing this, see Changing the Permission
Expiration Date.

Reason - The reason for the entitlement review request (optional).

Authorizers - All the entity's authorizers.

Signature - The signature of the owner or authorizer that made the


decision regarding entitlement.

4. To review only objects that have changed since your last review, select
this option at the top of the dialog box.

152

Proprietary and Confidential of Varonis

Authorization

5. Review the details of each relation.


6. For each relation, select Keep or Remove. If you choose to remove the
relation, you must enter an explanation in the Explanation field.
7. In the Reason field, enter a reason for the entitlement review.
8. If you approve, sign the entitlement review according to the signature
method that is provided, and click Sign.

Changing the Permission Expiration Date


To change the date in an entitlement review on which a user's or group's
permission expires:
1. Open the entitlement review.
2. In the Expiration Date column, click the link for the relevant folder.
The Edit Expiration Date dialog box is displayed.

3. Set the date on which the permission is to expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

4. Enter a reason for setting this expiration date.


5. Click OK.

Performing Entitlement Reviews on Groups


When you perform an entitlement review on a group, you can view all the
members of the group, including its subgroups, and their members. Two
modes are available:

Simple - Displays all the members of the group, regardless of their


membership in subgroups.

Proprietary and Confidential of Varonis

153

DataPrivilege 5.9 User Guide

Advanced - Displays one of the following, according to the view you


select:

Users' relations - The group members, according to the hierarchy of


groups and subgroups to which they belong.

First-level relations - Lists all the users whose membership in the


group is direct, not through a subgroup.

Note: These options may be hidden by configuration.

Reviewing Entitlement to Groups in Simple Mode


To review entitlement to folders:
1. Go to the Summary, or search for the relevant entitlement review.
2. Click the information icon for the relevant entitlement review request.
The Request Details dialog box is displayed.

In Simple mode, this dialog box provides the following information about
the users and groups that are related to the group:

154

Entity Name - The display name of the group being reviewed.

Logon Name - The SAM account name of the group

Domain Name - The domain to which the group belongs.

Status - Shows either changes outside DataPrivilege (since the last


review) or recommendations for removal made by IDU Analytics. No
status icon is displayed for the members of groups managed by other
owners (including the recommended for removal and added externally
to DataPrivilege icons).

User - Users and groups having a relation to the group. (If any group
in this list is managed, it appears with an underline. Click the group
name to open a dialog box with an entitlement review request for that
group.)

Proprietary and Confidential of Varonis

Authorization

Decision and Explanation - Options allowing the reviewer to keep or


remove the relation to the group, along with an explanation for the
decision (the explanation is mandatory).

By default, all relations that originate outside DataPrivilege (that is,


without a permission or membership request) are recommended
for removal. All other relations are recommended to be kept.

If the decision buttons are disabled or the explanation is too long to


be viewed, hover the mouse over the question mark icon for more
information. The buttons may be disabled for one of the following
reasons:

The user is a member of a group that is owned by someone


else and his membership cannot be revoked.

The user is a member of an unmanaged group and his


membership cannot be revoked.

Expiration Date - Indicates the date on which the membership is set to


expire. For instructions on editing this, see Changing the Membership
Expiration Date.

Reason - The reason for the entitlement review request (optional).

Authorizers - All the group's authorizers.

Signature - The signature of the owner or authorizer that made the


decision regarding entitlement.

3. To review only objects that have changed since your last review, select
this option at the top of the dialog box.
4. Review the details of each relation.
5. For each relation, select Keep or Remove. If you choose to remove the
relation, you must enter an explanation in the Explanation field.
6. In the Reason field, enter a reason for the entitlement review.
7. If you approve, sign the entitlement review according to the signature
method that is provided, and click Sign.

Reviewing Entitlement to Groups in Advanced Mode


Advanced mode enables you to review entitlement by both individual user
and by subgroups to which users belong.
To review entitlement to groups in Advanced mode:
1. Go to the Summary, or search for the relevant entitlement review.
2. Click the information icon for the relevant entitlement review request.
The Request Details dialog box is displayed.

Proprietary and Confidential of Varonis

155

DataPrivilege 5.9 User Guide

3. Click Advanced.
The Advanced dialog box is displayed.

In Advanced mode, this dialog box provides the following information


about the users that are related to the group:

156

Entity Name - The display name of the group being reviewed.

Logon Name - The SAM account name of the group

Domain Name - The domain to which the group belongs.

Status - Shows either changes outside DataPrivilege (since the last


review) or recommendations for removal made by IDU Analytics. No

Proprietary and Confidential of Varonis

Authorization

status icon is displayed for the members of groups managed by other


owners (including the recommended for removal and added externally
to DataPrivilege icons).

View - The focus of the content displayed in the dialog box. Options
are:

Users' relations - Select to view a list of the users related to the


group according to the subgroups to which the users belong. In
addition to the other fields described below, this view displays the
following information:

User - The names of the users having a relation with the group.

Group - Indicates how the user gained access.

Direct Permission - The user was granted direct permission


to the entity

<Group name> - The name of the group through which the


user gained access

Multiple Inheritance - The user is a member of more than


one group through which access was inherited. (Click the
information icon to perform an entitlement review of the
various groups of which the user is a member.

First level relations - Select to view the users and groups having
a direct relation to the group (that is, without being a member of
a subgroup). In addition to the other fields described below, this
view displays the following information:

User/Group - The user or group that is a member of the


group.

Status - Shows either changes outside DataPrivilege (since the last


review) or recommendations for removal made by IDU Analytics.

Decision and Explanation - Options allowing the reviewer to keep or


remove the relation to the entity, along with an explanation for the
decision (the explanation is mandatory).

By default, all relations that originate outside DataPrivilege (that is,


without a permission or membership request) are recommended
for removal. All other relations are recommended to keep.

If the decision buttons are disabled or the explanation is too long to


be viewed, hover the mouse over the question mark icon for more
information. The buttons may be disabled for one of the following
reasons:

The user is a member of a group that is owned by someone


else and his membership cannot be revoked.

The user is a member of an unmanaged group and his


membership cannot be revoked.

Expiration Date - Indicates the date on which the membership is set to


expire. For instructions on editing this, see Changing the Membership
Expiration Date.

Reason - The reason for the entitlement review request (optional).

Authorizers - All the entity's authorizers.

Signature - The signature of the owner or authorizer that made the


decision regarding entitlement.

Proprietary and Confidential of Varonis

157

DataPrivilege 5.9 User Guide

4. To review only objects that have changed since your last review, select
this option at the top of the dialog box.
5. Review the details of each relation.
6. For each relation, select Keep or Remove. If you choose to remove the
relation, you must enter an explanation in the Explanation field.
7. In the Reason field, enter a reason for the entitlement review.
8. If you approve, sign the entitlement review according to the signature
method that is provided, and click Sign.

Changing the Membership Expiration Date


To change the date in an entitlement review on which a user's or group's
membership expires:
1. Open the entitlement review.
2. In the Expiration Date column, click the link for the relevant user or group.
The Edit Expiration Date dialog box is displayed.

3. Set the date on which the membership is to expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

4. Enter a reason for setting this expiration date.


5. Click OK.

158

Proprietary and Confidential of Varonis

9.
Requests and Floor Support
Activities
Regular users use DataPrivilege to:

Request access to data and track their requests

Request membership to groups and manage their memberships

Floor Support personnel can view all requests whose status is Pending.

Creating Requests
DataPrivilege enables creating the following types of requests:

Permission requests - For access to data

Membership requests - For membership in groups

DataPrivilege enables data owners and authorizers to create folder creation


requests through the Folder Management screens. For more information
about folder creation requests and the request authorization process, see
About Folder Creation Requests.

Creating Permission Requests


A permission request is created when users want access to data.
Note: If the management authorization (Authorizer 0) option is enabled
and the user for whom the request was made has a manager defined in
the Active Directory, the request must be authorized by the user's manager
before it is sent to the relevant owner or authorizer.
To create a permission request:
1. From the left menu bar, select Permission Request.
The Permission Request pane is displayed in the main workspace.

Proprietary and Confidential of Varonis

159

DataPrivilege 5.9 User Guide

2. In the Users area, make sure the request is being made for the correct
users. If it is not, click the Change Users button to select the required
users. The selected users are displayed in the Users area.
3. To locate the folders for which the request is being made:
a. In the Folders area, click the Browse button to select the folder for
which permission is being requested (you may select more than one).
The Select Folders dialog box is displayed.
b. Search for the required folder or type its name in the Folders field.

c. Click Add.
The folders are added and displayed in the Operations area.
4. To define the required permissions for the folders:
a. In the Operations area, select the operation required for each folder
from the Available Operations drop-down list.
Note: When only one user is selected, effective permissions are
calculated and only relevant options are displayed in the Available
160

Proprietary and Confidential of Varonis

Requests and Floor Support Activities

Operations drop-down list. However, if multiple users are selected all


operations are displayed.
b. For each folder, select the required permissions from the Permissions
drop-down list.
c. To remove a folder from the request, select its checkbox and click
Remove.

5. In the Explanation area, type a free-text reason for the request.


6. To define an expiration date for the request (skip to the next step if you
do not want to define an expiration date):
a. If the Advanced pane is collapsed, click Advanced.
Note: The Expand or collapse Advanced pane in requests key
setting enables configuring this pane to be expanded when it is first
presented to the user.
The Expiration area is displayed.
b. Set the date on which the permission is to expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

7. Click Finish.
The request is created and one of the following occurs:

If a request was made for a single user a summary is displayed.

If a request was made for multiple users, a list of users included in the
request is displayed. When a name is clicked, a summary for that user
is displayed.

Creating Membership Requests


A membership request is created for users and groups that require
membership in a group.
Note: If the management authorization (Authorizer 0) option is enabled
and the user for whom the request was made has a manager defined in
the Active Directory, the request must be authorized by the user's manager
before it is sent to the relevant owner or authorizer.
To create a membership request:
1. From the left menu bar, select Membership Request.
2. The Membership Request pane is displayed in the main workspace.

Proprietary and Confidential of Varonis

161

DataPrivilege 5.9 User Guide

3. In the Users field, make sure the request is being made for the correct
users and groups. If it is not, click the Change Users/Groups button to
select the required users and groups.
The selected users are displayed in the Users area. When one or more
of the users has a manager defined in the Active Directory, the relevant
users' managers are displayed.

162

Proprietary and Confidential of Varonis

Requests and Floor Support Activities

4. To locate the groups for which the request is being made:


a. In the Groups area, click the Browse button to select the groups for
which permission is being requested (you may select more than one).
The Select Groups dialog box is displayed.
b. Search for the required group.

c. Click Add.
The groups are added and displayed in the Operations area.
5. To define the required permissions for the groups:
a. In the Operations area, select the operation required for each group
from the Available Operations drop-down list.
Note: When only one user is selected, effective permissions are
calculated and only relevant options are displayed in the Available
Operations drop-down list. However, if multiple users are selected all
operations are displayed.

Proprietary and Confidential of Varonis

163

DataPrivilege 5.9 User Guide

b. To remove a group from the request, select its checkbox and click
Remove.

6. In the Explanation area, type a free-text reason for the request.


7. To define an expiration date for the request (skip to the next step if you
do not want to define an expiration date):
a. If the Advanced pane is collapsed, click Advanced.
Note: A key setting enables configuring this pane to be expanded
when it is first presented to the user.
The Expiration area is displayed.
b. Set the date on which the permission is to expire. Options are:

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

8. Click Finish.
The request is created and one of the following occurs:

If a request was made for a single user a summary is displayed.

If a request was made for multiple users, a list of users included in the
request is displayed. When a name is clicked, a summary for that user
is displayed.

Viewing and Editing Request Details


To view and edit the details of a submitted request:
1. Search for the relevant request.
The requests matching your search criteria are displayed in the Access
Requests or Access Authorizations pane, as relevant.

164

Proprietary and Confidential of Varonis

Requests and Floor Support Activities

2. Click the information icon for the relevant request.


The Request Details window is displayed.

3. Edit the available fields as necessary.


4. Click OK.

Viewing Request Summaries


To view your request summaries:
1. From the left menu bar, select Summary.
The summary of the requests you have made in the past ten days
is displayed in the main workspace. It is comprised of the following
sections:

My Requests - The requests you created for yourself, or that were


created on your behalf

Requests waiting for my approval - The requests you are responsible


for approving

Waiting for my review - The entitlement reviews you are responsible


for handling

2. To send an email to the user who made the request, or the user for whom
the request was made, click the user's name in the relevant column
(Requested By or Requested For).
3. Click the information icon for the relevant request.
The request's details are displayed.

Proprietary and Confidential of Varonis

165

DataPrivilege 5.9 User Guide

4. If the request is still pending, you may edit its expiration date. In the
Expiration Date area, set the relevant date. Options are:

166

Never

On - Click the calendar icon to select an expiration date

After - In the text box, select the number of days after which the
permission is to expire.

Proprietary and Confidential of Varonis

10.

Reports
DataPrivilege enables you to generate a number of reports, regarding
administration, permission requests, synchronization, entitlement, and more.

Generating Reports in DataPrivilege


To generate reports:
1. From the left menu bar, select Reports to go to the Reports pane.

2. In the Report List pane, expand the tree to select the relevant report.
3. Configure and schedule the report as required.
4. Click Run.
The report is displayed in the Report View.

Filtering Report Results


To apply a filter to the report results:
1. In the Advanced Search pane, select the Filter tab.

Proprietary and Confidential of Varonis

167

DataPrivilege 5.9 User Guide

2. To add a condition, click Add.


A new row is displayed, along with an AND/OR function drop-down list.

3. From the drop-down boxes, select the required values to build the search
condition.
a. From the AND/OR drop-down list, select the function you want to
define the relationship between the conditions.
b. To remove an extraneous condition, select the check box of the
relevant row and click Remove.
The extraneous condition is removed.
c. To clear the Filter pane, click Clear.
Note: The Filter Type list is dynamic and the available options
depend on the type of report you select.
4. To run the report, click Run.

Grouping Report Results


To group the report results:
1. In the Advanced Search pane, select the Group By tab.
2. To add a condition, click Add.
A new row is displayed.

168

Proprietary and Confidential of Varonis

Reports

3. From the drop-down list, select the required value to build the grouping
condition.
Note: The Group list is dynamic and the available options depend on the
type of report you select.
4. To remove an extraneous condition, select the checkbox of the relevant
row and click Remove.
The extraneous condition is removed.
5. To clear the filter area, click Clear.
6. To run the report, click Run.

Sorting Report Results


To sort the report results:
1. In the Advanced Search pane, select the Sort tab.
2. To add a condition, click Add.
A new row is displayed.

3. From the first drop-down list, select the field by which you want to sort the
search results.
4. From the drop-down boxes, select the required values to build the sort
condition.
Note: In the Reports view, the Sort option is only available for certain
reports.
5. From the second drop-down list, select the sort order.

Proprietary and Confidential of Varonis

169

DataPrivilege 5.9 User Guide

6. To remove an extraneous condition, select the check box of the relevant


row and click Remove.
The extraneous condition is removed.
7. To clear the Sort pane, click Clear.
8. To run the report, click Run.

Using Extended Attributes to Retrieve Report Results


Extended attributes are made available for use in reports if they are mapped
for reports by the DataPrivilege administrator. Only extended attributes that
are so mapped are displayed on the Extended Attributes tab.
To select extended attributes:
1. In the Advanced Search pane, select the Extended Attributes tab.

2. From the Available Attributes list, select the extended attributes you want
to use to retrieve report data.

Use the right and left arrow buttons to move attributes to and from the
Selected Attributes list.

Use the up and down arrows to change the order in which attributes
are displayed in the report.

3. To run the report, click Run.

Scheduling and Subscribing to Reports


With DataPrivilege, you can schedule reports for automatic generation and
delivery as required. Use data-driven subscriptions to filter report contents
according to the recipient's owned objects.

Scheduling and Subscribing to Regular Reports


To schedule and subscribe to a report:
1. From the Report List, select the relevant report.
The Advanced Search dialog box is displayed.

170

Proprietary and Confidential of Varonis

Reports

2. Set the report criteria as necessary.


3. Select the Schedule tab.
The Report Subscription dialog box opens and displays settings in the
Subscr. Filters window.

4. To edit the filtering, grouping, sorting, or extended attributes settings,


click Cancel to close the window and edit the settings in the main
window.
Note: Changes you make at this stage are only relevant for the specific
subscription you are defining. They do not affect the main report.
5. Select the Delivery Options tab.

Proprietary and Confidential of Varonis

171

DataPrivilege 5.9 User Guide

Delivery options are displayed.

6. Define the following parameters as relevant:

Report name - Type a free-text friendly name for the report


subscription.

Delivered by - From the drop-down list, select the entity to deliver the
report. Options are:

Report Server Email

Report Server File Share

To - Type the email addresses of the recipients of the report


(separated by semi-colons).

CC - Type the email addresses of users to receive copies of the report


(separated by semi-colons).

BCC - Type the email addresses of users to receive blind copies of


the report (separated by semi-colons).

Reply To - Type the email address of the user sending the report.

Subject - Type the subject line of the report.

Set the relevant attachment parameters:

Include report

Render Format - From the drop-down list, select the format in


which the report is to be delivered (only if you chose to include the
report with the email).

Include link - Select to include a link to the report's location on the


IDU server.
Note: This setting is hidden by default. It can set from the
Application Settings tab.

172

Proprietary and Confidential of Varonis

Reports

Priority - From the drop-down list, select the relevant delivery priority.

Comment - Type a free-text comment in the field as necessary.

7. Select the Scheduler Options tab.


Scheduling options are displayed.

8. Define the following parameters as relevant:

Schedule Details - In this area, configure the frequency at which the


report is sent. Options are:
Option

Set the schedule as follows:

Hour

Run the schedule every - Type the number of


hours and minutes at which the report is to be
generated.

Start time - Set the hour at which the report job is


to start.

Repeat after this number of days - Type the


number of days at which the report is to be
generated.

Start time - Set the hour at which the report job is


to start.

Repeat after this number of weeks - Type the


number of weeks at which the report is to be
generated.

On day(s) - Select the checkboxes of the days on


which the report is to be generated.

Day

Week

Proprietary and Confidential of Varonis

173

DataPrivilege 5.9 User Guide

Option

Month

Once

Set the schedule as follows:

Start time - Set the hour at which the report job is


to start.

Month(s) - Select the month(s) for which you want


to generate the report.

On week of month - Select the 1st through 4th, or


last week of the month in which the report is to be
generated.

On day of week - Select the day of the week at


which the report is to be generated.

On calendar day(s) - Select the date on which the


report is to be generated.

Start time - Set the time at which the report is to be


generated.

Start time - Set the hour at which the report job is to


start.

Start and end dates - Click the calendars to select the starting and
ending dates for the schedule you defined (you are not required to set
an ending date).

9. Click OK.
The schedule and subscription are complete.

Scheduling and Subscribing to Data-Driven Reports


Use data-driven subscriptions to filter report contents according to the
recipient's owned objects.
Data-driven filters are only enabled for reports that are available to data
and group owners or authorizers. However, while owners and authorizers
may view and work with data-driven reports, only administrators can create
subscriptions to them.
To schedule and subscribe to data-driven reports:
1. From the Report List, select the relevant report.
The Advanced Search dialog box is displayed.

174

Proprietary and Confidential of Varonis

Reports

2. Define the filtering, grouping, sorting options and extended attributes for
the report.
3. Click Schedule.
The Report Subscription dialog box opens. The filtering, grouping and
sorting options that are already defined for the report are displayed in the
Subscr. Filters tab.

4. Select the Delivery Options tab.


The Delivery Options dialog box opens.
5. Select Data Driven.
The Data Driven Delivery Options are displayed.

Proprietary and Confidential of Varonis

175

DataPrivilege 5.9 User Guide

6. Set the following parameters:

Report name - Type a free-text friendly name for the report


subscription.

All owners/authorizers - Select this checkbox to send the subscription


to all data or group owners or authorizers in the system.

Send report, even if empty - By default, reports are only sent if they
actually contain data (that is, events actually occurred during the
defined timeframe). Select this checkbox to send reports even if they
do not contain data.

Select Owners/Authorizers - If you did not select the All owners option,
select the specific owners or authorizers to whom you want to send
the report subscription.

Include Report

Include Link - Select to include a link to the report's location on the


IDU server.
Note: This setting is hidden by default. It can set from the Application
Settings tab.

7. Select the Scheduler Options tab.


Scheduling options are displayed.

176

Proprietary and Confidential of Varonis

Reports

8. Define the following parameters as relevant:

Schedule Details - In this area, configure the frequency at which the


report is sent. Options are:
Option

Set the schedule as follows:

Hour

Run the schedule every - Type the number of


hours and minutes at which the report is to be
generated.

Start time - Set the hour at which the report job is


to start.

Repeat after this number of days - Type the


number of days at which the report is to be
generated.

Start time - Set the hour at which the report job is


to start.

Repeat after this number of weeks - Type the


number of weeks at which the report is to be
generated.

On day(s) - Select the checkboxes of the days on


which the report is to be generated.

Start time - Set the hour at which the report job is


to start.

Day

Week

Month

Select the start time and one of the following options


for the time and recurrence pattern for generating the
report:

Set the date (1-31) and the recurring number of


months on which the report is to be generated.
Proprietary and Confidential of Varonis

177

DataPrivilege 5.9 User Guide

Option

Set the schedule as follows:

Once

Set the 1st through 4th, or last day of the day


(Monday-Sunday) and the recurring number of
months on which the report is to be generated.

Start time - Set the hour at which the report job is to


start.

Start and end dates - Click the calendars to select the starting and
ending dates for the schedule you defined (you are not required to set
an ending date).

9. Click OK.

Viewing Defined Subscriptions


To view defined subscriptions:
1. Access the Report List pane.
2. In the Report Name tree, select Root > (Relevant Report) >
Subscription > (Relevant Subscription) .
The filtering, grouping and sorting options that are defined for the
subscription are displayed.

3. Change the subscription options as required.

Saving and Loading Report Criteria


After defining values and settings for filters, grouping and sorting columns,
and extended attributes in your report, you may save and load these criteria
for future use.
Note: The file will not load if you do not open the correct report for that
report category.
1. To save report criteria, click the Save button.
The file is saved in .xml format in a folder that you define. You may
modify the name of the report, which is provided by default.
2. To retrieve the file, click the Load button within the report category you
selected.
3. Search for and select the .xml file that holds your saved criteria.
The file opens and displays the properties you selected.
178

Proprietary and Confidential of Varonis

11.

Searching
The following subsections provide instructions for searching for users,
permission requests and authorizations, and folders.

Searching for Users


The following activities require searching for users:

Adding administrators

Adding owners to groups

Adding data owners to base folders

Adding users to the Floor Support role

Creating authorization rules

Making requests

Generating reports

To search for users:


1. While carrying out the relevant activity, click Add.
The User Search dialog box is displayed.

Proprietary and Confidential of Varonis

179

DataPrivilege 5.9 User Guide

2. In the User Search pane, click the Browse button.


The next User Search dialog box is displayed.

3. From the Select Domain drop-down list, select the domain in which to
perform the search.
4. From the first drop-down list, select the first search filter.
Note: The options appearing in this filter can be configured by Varonis
System Engineers.
5. From the second drop-down list, select the second search filter. Options
are:

Begins with

Ends with

Contains

That is

6. In the blank field, type the value specified by the first two search filters.
If you set the first two filters to User Name and Begins With, type the first
few letters of the user you are searching for.
7. Click Search.
A list of users matching the search criteria is returned.

180

Proprietary and Confidential of Varonis

Searching

8. Select the checkbox of the user to be added in the activity you are
currently performing.
9. Click OK.
The user is added.

Searching for Groups


The following activities require searching for groups:

Adding users to the Floor Support role

Creating authorization rules

Making requests

Generating reports

To search for groups:


1. While carrying out the relevant activity, click Add.
The Group Search dialog box is displayed.

Proprietary and Confidential of Varonis

181

DataPrivilege 5.9 User Guide

2. Click the Browse button.


The next Group Search dialog box is displayed.

3. Do one of the following:

182

Proprietary and Confidential of Varonis

Searching

Select a domain in which to perform the search - Select the Domain


option and then select the required domain from the drop-down list.

Select a location in which to perform the search - Select the Location


option and then select the required logical location from the drop-down
list.

4. Select the Show Unmanaged Groups option to display these groups in


the list.
5. From the drop-down list, select the required search operator. Options are:

Begins with

Ends with

Contains

That is

6. In the blank field, type the required value to find the relevant group.
If you set the filter to Begins With, type the first few letters of the group
you are searching for.
7. Click Search.
A list of groups matching the search criteria is returned.
8. Select the checkbox of the group to be added in the activity you are
currently performing.
9. Click OK.
The group is added.

Searching for Folders


The following activities require searching for folders:

Searching for requests

Generating synchronization result reports


To search for folders:

1. In the Search pane for the relevant activity, click the browse button next
to the For Folder or By Folder field.
The Select Folder dialog box is displayed.

Proprietary and Confidential of Varonis

183

DataPrivilege 5.9 User Guide

2. Expand the folder tree to locate the required managed folder.


Note: The tree displays only managed folders.
3. Select the folder's checkbox.
4. Click OK.
The name of the selected folder is inserted into the Folder field.

Searching for Requests


To search for requests:
1. From the left menu bar, select Search.
The Search submenu is expanded.
2. From the submenu, select the search type for the report to be generated.
Options are:

Search - To perform predefined searches.

Adv. Search - To perform an advanced search for requests by more


specific criteria.

The relevant search panes are displayed in the main workspace.

184

Proprietary and Confidential of Varonis

Searching

3. Set the required search criteria:

Search - Set the following options:

Request Type - From the drop-down list, select the type of request
for which you are searching. Options are:

All

Membership Requests

Permission Requests

Folder

Select the request's frequency. Options are:

Weekly

Monthly

Expired

Advanced search - For instructions, see Advanced Searching.

4. Click Search.
The requests that meet the specified criteria are displayed in the
Standard Search pane.

5. To view the details of a specific request in the report, click the information
icon for the request.
The Request Details dialog box is displayed.
6. To export the report to a Microsoft Excel spreadsheet, click Export.
7. To print the report, click Print.

Searching for File Servers


To search for file servers:
1. While carrying out the relevant activity, click Add.

Proprietary and Confidential of Varonis

185

DataPrivilege 5.9 User Guide

The File Server Search dialog box is displayed.

2. From the Select Domain drop-down list, select the domain in which to
search for the relevant file server.
3. From the first drop-down list, select the first search filter. Options are:

Begins with

Ends with

Contains

That is

4. In the blank field, type the value specified by the first search filter.
If you set the first filter to "Begins With", type the first few letters of the file
server you are searching for.
5. Click Search.
A list of file servers matching the search criteria is returned.

186

Proprietary and Confidential of Varonis

Searching

6. Expand the Folder Name tree to locate the relevant file server.
7. Click OK.
The file server is added.

Searching by Organizational Unit


To search by an organizational unit:
1. While carrying out the relevant activity, click Add.
The Search Organizational Unit dialog box is displayed.

Proprietary and Confidential of Varonis

187

DataPrivilege 5.9 User Guide

2. In the Select one or more organizational units pane, click the Browse
button.
The Search Organizational Unit dialog box is displayed.

188

Proprietary and Confidential of Varonis

Searching

3. To search the returned list:


a. From the Select Domain drop-down list, select the domain in which to
perform the search.
b. From the drop-down list, select the preferred search operator.
c. In the blank field, type the value specified by the first two search
filters.
4. Click Search.
A list of OUs matching the search criteria is returned.

Proprietary and Confidential of Varonis

189

DataPrivilege 5.9 User Guide

5. Select the check boxes of the OUs to be added to the location and click
OK.
6. In the main Search dialog box, click Add.
The OUs are added to the bottom pane.
7. Click OK.

Advanced Searching
DataPrivilege's advanced search capabilities enable you to specify a wide
range of search criteria. The available criteria change depending on the type
of search you want to perform.
To set advanced search criteria:
1. From the left menu bar, select Search.
The Search submenu is expanded.
2. From the submenu, select Adv. Search.
The Search Filter pane is displayed in the main workspace.

190

Proprietary and Confidential of Varonis

Searching

3. In the Search Filter pane, set one or more of the following criteria for the
request for which you are searching:

Request by - Click the relevant browse button and search for the user
or group who made the request. The relevant entity is displayed in the
Request By field.

Created for - Click the relevant browse button and search for the user
or group who made the request. The relevant entity is displayed in the
Request For field.

Request Type - From the drop-down list, select the type of request for
which you are searching. Options are:

All

Entitlement Review

Direct Permission

Permission

Folder

Membership

Request Operation Type - From the drop-down list, select the type of
operation for which you are searching. Options are:

All

Grant

Revoke

Approve

Create

Status - Select one or more request statuses by which to search.

Request ID - Type the unique ID of the relevant request.

Start Date - Click the calendar to select the date on which the
permission related to the request is to start.

End Date - Click the calendar to select the date on which the
permission related to the request is to expire.

4. Click Search.
All requests that match the defined search criteria are displayed in the
Advanced Search pane.

Proprietary and Confidential of Varonis

191

12.

Customizing the Menu Pages


DataPrivilege provides several menu buttons, the content pages of which
can be customized as necessary by DataPrivilege administrators. These
buttons, located at the top of the screen, include:

Home

FAQ

Help

Contact Us

About Us - This button provides information about Varonis Inc. and


cannot be customized
To customize the content pages of the Home, Help and Contact Us buttons:

1. Click the relevant menu button at the top of the screen.

2. In the main workspace, click the Switch to Edit Mode link.


A robust text editor opens in the workspace.

Proprietary and Confidential of Varonis

193

DataPrivilege 5.9 User Guide

3. Add or update the content page of the button as relevant.


4. Click Update.

Adding Questions and Answers to the FAQ


To add a question or answer to the FAQ:
1. Click the FAQ menu button at the top of the screen.

2. In the main workspace, click the Add button.


The FAQ Details dialog box is displayed.

3. Type the relevant text in the Question and Answer fields.


4. In the Sort Order field, type the number in which the question is to
appear.
5. Click OK.
The question and its answer are added to the FAQ page.
194

Proprietary and Confidential of Varonis

13.

Configuration
This chapter provides instructions for configuring DataPrivilege to work with
Active Directory, and configuring general application settings.

Configuring Active Directory Properties


In order to work with DataPrivilege, the following Active Directory objects
must be mapped:

User schema

Group schema

Certain Active Directory objects must be provided to Varonis for mapping.


You can define others as necessary.
The procedure for mapping objects is the same, regardless of the object.
To map Active Directory objects with DataPrivilege:
1. From the left menu bar, select Configuration > AD Properties to go to
the AD Properties pane.

2. Click Add to map a new property.


The Property Details dialog box is displayed.

Proprietary and Confidential of Varonis

195

DataPrivilege 5.9 User Guide

3. Set the following attributes as necessary:

AD property name - Type the name of the Active Directory property to


which the object is to be bound.

AD property type - From the drop-down list, select the property's type.
Options are:

String

Multi-value - If you select this option, use the bottom part of the
dialog box to define valid values.

Display Name - Type the name of the property as it is to be displayed


in the DataPrivilege interface.

Use AD property for - From the drop-down list, select the type of
object for which the property is relevant. Options are:

User

Group

User and group

4. Set the options that define the property's visibility and usage:

196

Define AD property value visibility - Select this option to select all the
visibility options

Display as a column in the relevant search dialog boxes

Display the value on User and Group Details pages

Display as a column on Membership Request pages

Display as a column on management pages

Display as a column in entitlement reviews

Available Active Directory property functions - Select this option to


select all the usage options

Proprietary and Confidential of Varonis

Configuration

Allow AD property values to be used for searching in Users and


Groups dialog boxes

Enable Active Directory property values to be used as a condition


in rules - Select to enable using the property in automatic and
authorization rules

Enable Active Directory property values to be used in reports - Select


to enable using the Active Directory property value for displaying,
filtering, sorting, and grouping results in certain reports.
Note: You must also select the Active Directory property on the
Extended Attributes tab when configuring a report.

5. If you set the property's type to Multi-value, set its valid values as follows:
a. In the bottom part of the dialog box, click Add.
The Property Values Details dialog box is displayed.

b. For the first valid value, define the following attributes:

Friendly Name - Type the name of the valid value as it is to appear


in the user interface.

Value - Type the value of the property as it is defined in Active


Directory.

Sort Order - Type the number representing the order in which the
value is to be sorted.

c. Click OK.
The valid value is displayed in the bottom pane of the dialog box.

Proprietary and Confidential of Varonis

197

DataPrivilege 5.9 User Guide

d. Repeat for all other valid values to be defined.


6. In the Schema Details dialog box, click OK.
The dialog box is closed.
7. To edit the mappings of a property that has already been defined:
a. Click the information icon for the relevant property.
The Schema Details dialog box is displayed.
b. Edit the details as necessary.
c. Click OK.

Defining Application Settings


Administrators can configure a number of settings for DataPrivilege.
To configure application settings:
1. From the left menu bar, select Configuration > Application Settings to
go to the Application Settings pane.
The Application Settings pane is displayed in the main workspace, in Edit
mode.

198

Proprietary and Confidential of Varonis

Configuration

2. In the Categories list, select the category of fields whose values you want
to edit.
The fields are displayed in the Fields pane, along with their currently
defined values. An asterisk (*) indicates changed values in all keys
required to restart the scheduler service.

3. Click the information icon for the field you want to edit.
The field's currently defined value is displayed in the Fields pane.

4. Edit the value as necessary.


5. Click Save.

Descriptions of Application Settings


AD Management
The following settings are available in the AD Management category:
Field

Description

Default Value

Allow data owners


to set group bypass
option

Allow data owners to set the group bypass option,


to exclude groups as necessary from the data
authorization process. The option can be changed in
the Add Base Folder and Add Managed Folders
wizards.

False

Proprietary and Confidential of Varonis

199

DataPrivilege 5.9 User Guide

Field

Description

Default Value

By default, set
existing Active
Directory groups to
Bypass

Allow setting the group bypass option automatically


when existing Active Directory groups are added.

False

Enable users to
By default, it is not possible to delete a logical location
delete locations that that contains groups. Set this option to True to enable
have groups in them deleting these locations.
Default location for
groups

Select the location in which new groups are created


by default.

Audit level
for nightly
synchronization
(according to
Revoke requests)

Control changes to a group's relations (according to


Revoke requests) as follows:

None no auditing. No revoke requests are


created for relations.

Only for managed groups or flags - Auditing.


Revoke requests are created only for groups
managed by DataPrivilege (i.e., that have owners
or that are set to bypass)

Only for Owners - Auditing. Revoke requests will


be created only for groups with owners

False

Only for managed


groups (having
owners or flagged
as bypass)

Determine whether
groups can
be searched
by domains or
locations

Determine whether groups can be searched by


domains or locations in the Administration > Groups >
Group Owners screens and in group pickers.

Both Domains
and Locations

Show the Bypass


checkbox on the
Add/Edit Folders
screen

Show the Bypass checkbox in the Add/Edit Folders


screen, to enable excluding groups from the data
authorization process as necessary.

True

Owners can see this option only if Allow owners to


set group bypass option is set to True).

Administrators can see the option regardless of the


Allow owners... settings.

On the
Administration >
Groups screen,
show unmanaged
groups by default

Unmanaged groups are hidden unless it is otherwise


specified, either here or on an ad hoc basis (by
selecting the Show Unmanaged Groups option when
searching for groups on the Managed Groups screen.

False

Synchronize group
owners with Active
Directory

If this option is set to True, the primary group owner


for each managed group is synchronized to Active
Directory, replacing the current value of the Managed
By attribute. A managed group can only have one
primary group owner who is synchronized to Active
Directory. If the administrator does not assign a
primary group owner for a managed group, one is
randomly selected during the nightly job.

False

Exclude builtin groups from


FileWalk

If this option is set to True, built-in Windows


groups are excluded from FileWalk and hidden in

False

200

Proprietary and Confidential of Varonis

Configuration

Field

Description

Default Value

DataPrivilege. When hidden, these groups and their


permissions do not appear on any user-facing screen.

Authentication
The following settings are available in the Authentication category:
Field

Description

Default Value

Use resource
users' identities
exactly as entered
for the domain's
impersonation user

If this option is set to True, user identities are


displayed as originally entered. However, if it is set to
False, user identities are converted to FQDN format.

True

Authorizers and Owners Rights


The following settings are available in the Authorizers and Owners Rights
category:
Field

Description

Default Value

Allow authorizers to
modify authorizer
list

Ordinarily, only owners and administrators can


set authorizers. Set this option to True to allow
authorizers to set other users as authorizers.

False

Allow directory
owners to add
members to
permitted groups, or
remove them

Allow directory owners to add members to groups


having direct permissions on their managed folders.
When these groups have the bypass option set, the
request is automatically approved. Otherwise, it must
be approved by the group owner.

True

Allow administrators
and owners to
create new folders

Use this setting to determine which roles can create


new file system folders from DataPrivilege. Options
are:

Both

Neither - Neither administrators nor owners may


create new managed folders directly on the file
system from DataPrivilege.

Both - Both administrators and data owners can


create new managed folders.

Only administrators - Data owners cannot create


new folders.

Allow folder owners


to edit names of
new groups

By default, folder owners can edit names of new


groups.
Set this option to False to prevent folder owners from
editing names of new groups while editing a folder.
If set to False, folder owners will not be permitted to
create new groups for new folders. Folder owners
must first create the folder and then edit it to create
new groups.

True

* Allow top-level
authorizers to
approve entitlement
review requests

By default, only owners can approve entitlement


review requests. Set this option to True to allow toplevel authorizers to approve such requests as well.

False

Proprietary and Confidential of Varonis

201

DataPrivilege 5.9 User Guide

Field

Description

Default Value

* Allow authorizers
to manage
permissions on
managed folders

By default, authorizers cannot make changes to the


entities for which they are responsible. Set this option
to True to allow authorizers to:

False

Add or remove permissions

Add or remove users

Allow owners and


authorizers to
perform file system
operations

By default, owners can change the permissions on


the folders they own (add or remove permissions).
Authorizers can do it too only if Allow authorizers to
manage permissions on managed folders is True.
If this option is set to False, owners and authorizers
cannot change direct permissions on their folders (this
setting does not affect system administrators).

True

Allow owners to
make a folder
protected or
inherited

By default, owners cannot make a folder protected or


inherited.
However, if this key is set to True, the Make
Protected and Make Inherited checkboxes on the
Edit Folder screen become visible, so that owners
can set folders accordingly.

False

Enable SYSADMIN
operations (add/
remove folders
and manage
permissions)
for owners and
authorizers

If set to False:

True

Users who are data owners (but not


administrators) cannot affect directories on the file
system level:

Add or remove permissions from the folders


they own.

Add, edit or remove folders from the base


folders they own.

Create new permissions at the file system level.

Users who are authorizers (but not administrators)


cannot add or remove permissions from the folders
for which they are responsible.

When performing an entitlement review, users


cannot affect other users who have direct
permissions on a folder.

Allow adding a
group to a group

Enable owners and authorizers to add groups, not


only individual users, to the selected permission. This
option is only available when the Allow owners and
authorizers to perform file system operation option is
enabled for owners and authorizers.

True

Next proposed
authorization level
for new authorizer

When a new authorizer is defined, this setting


determines the next authorization level that is offered.
Options are:

Max level

202

Increment max level = Last level value + 1

Max level = Highest level value

First level

Proprietary and Confidential of Varonis

Configuration

Field

Description

Default Value

Set roles that can


modify automatic
rules

By default, owners can create, edit and delete


automatic rules for their managed entities. However,
it is possible to limit owners' abilities, so that they
can only view automatic rules. If this limitation is set,
owners who are also administrators can modify rules
as necessary.
Set this option to determine which roles can modify
automatic rules. Options are:

All owners can


modify automatic
rules

Set the permissions


to be exported

All owners can modify automatic rules

Only owners who are also administrators can


modify automatic rules

By default, data owners and authorizers cannot


generate permissions reports from the Permissions
pane of the Folder Owner and Folder Authorizer
screens. However, it is possible to enable data
owners and authorizers to generate one or both
of the permissions reports directly from the main
Permissions pane.
Set this option to determine which permissions are
exported for data owners and authorizers. Options
are:

None

None
Note: If selected, the Export Permissions option
on the main Permissions pane is not visible.

Number of
managed folders
displayed on a page

File system permissions

User-level permissions

Both

To improve performance, set the number of managed


folders to be displayed on each page.

Show direct
permission request
buttons for folder
authorizers

True

Domains
The following settings are available in the Domains category:
Field

Description

Default Value

Determine how
locations are
matched to users

Use this setting to determine how logged-on users are


matched to the properties defined for each location.
If the By organizational unit option is selected, the
OUs required for each location can be selected from a
picker instead of entered manually.

None

Active Directory
property that
determines the
relevant location

This value determines the Active Directory property by


which the location relevant to a user is determined.

Proprietary and Confidential of Varonis

203

DataPrivilege 5.9 User Guide

Field

Description

Default Value

Display locations
according to

By default, only locations that match the requestee's


defined Active Directory properties are presented.
Otherwise, only locations that match the properties of
the requester (the user who creates the request) are
presented.

Requestee's
locations

Synchronize
unmonitored
domains

This setting determines whether owners of groups on


unmonitored domains are synchronized.

False

Use hard coded DC


per Domain

False

Entitlement Review
The following settings are available in the Entitlement Review category:
Field

Description

Default Value

Default view

Set the default view of entitlement reviews to Simple


or Advanced, as preferred.

Simple

Disable the Keep


All and Remove
All buttons in
entitlement reviews

Set this option to True to allow reviewers to keep


or remove all relations without reviewing them
individually. Set it to False to enforce individual review
of entity relationships.

False

Require
confirmation for
entitlement reviews

Set this option to False to hide the entitlement review


signature, if there is no need for confirmation.

True

Enable switching
from Simple mode
to Advanced mode
on the request
screen

By default, persons responsible for entitlement


reviews can work in either Simple or Advanced
mode as required. Set this option to False to prevent
switching to Advanced mode.

True

Exclude owners
from the list of
authorizers in
entitlement reviews

Set this value to True to ensure only true authorizers,


not owners, appear in the entitlement review's
Authorizers section.

False

Entitlement review
signing option

Determine how reviewers will sign entitlement


reviews. Options are:

User password

User password

Text - If selected, the required text must be defined


in the Text to be used for the signature option.

Text to be used for


the signature

Set the text that users sign, to indicate they have


performed the required entitlement review.

Verify

Entitlement review
confirmation, up to
140 characters

Set the text that confirms performance of an


entitlement review.

I confirm that I
have reviewed
the objects listed
above, along with
their content.

204

Proprietary and Confidential of Varonis

Configuration

Field

Description

Default Value

Hide Change View


option for Direct
FS Permissions /
Group Membership
relations in
entitlement review

In the Advanced view, the View drop-down list


enables setting the focus of the content displayed
in the entitlement review. Use this option to hide the
View drop-down list if necessary. If it is hidden, only
user-level views are displayed.

False

Receive
recommendations
from IDU Analytics

By default, DataPrivilege receives recommendations


from IDU Analytics. Set this option to False to disable
recommendations.

True

Require entitlement
review for all
managed objects

By default, entitlement review is required for all


managed objects. If this option is set to False, only
selected objects will undergo entitlement review.

True

File System and Active Directory


The following settings are available in the File System and Active Directory
category:
Field

Description

Default Value

Allow expanding
locations and
folders that do not
contain managed
subfolders

Performance can be negatively affected if the entire


folder tree is expanded each time a user navigates to
a particular folder. This setting enables administrators
to allow such expansion, or to limit expansion to
include only locations and folders that contain
managed subfolders. By default, expansion is limited.

False

Allow users to
request direct
permissions

By default, users can request direct permissions to a


True
folder. Set this option to False to hide the Allow direct
permissions option when base or managed folders are
added.

Default value
(IsBypasData) for
created groups

Set this option to True to set the Bypass value


automatically for new DataPrivilege groups. If it is set
to False, the Bypass option can still be set as required
for specified groups.

True

Remove unique
permissions when
a folder is set to
Inherited

When a folder is set to Inherited, it may still retain


unique permissions that are not part of the inherited
set. Use this setting to determine whether the unique
permissions are removed when the folder is set to
Inherited, thus making the folder fully inherited.

True

Enable emulation of
direct permissions
on folders, to
groups which are
members in the
directly permitted
groups

Enable emulation of direct permissions on folders, to


groups which are members in the directly permitted
groups

False

Set the membership


level at which
groups that are
members of the
directly permitted

Set the membership level at which groups that are


members of the directly permitted groups will be
emulated with direct permissions on folders (level
1 means direct members of the directly permitted

Proprietary and Confidential of Varonis

205

DataPrivilege 5.9 User Guide

Field

Description

groups will be
emulated with
direct permissions
on folders (level
1 means direct
members of the
directly permitted
groups; groups at
other levels won't
be emulated with
direct permissions
on folders

groups; groups at other levels won't be emulated with


direct permissions on folders

Set the types of the


directly permitted
groups for which
their members
of type group be
emulated with direct
permissions on
folders (all member
group types will be
emulated)

Set the types of the directly permitted groups for


which their members of type group be emulated with
direct permissions on folders (all member group types
will be emulated)

Number of FileWalk
threads

Set the number of threads that run concurrently during 15


execution of the FileWalk job. You may set between 1
and 20 threads.

Set group name


separator (invalid
characters: , " > < ?
+ _ | ; : \ / [ ])

Set the character to use in the naming convention to


separate parts of a group's name. The separator is
limited to one character. Invalid characters are: , " >
<?+_|;:\/[]

Set naming
convention for
group names

Set the naming convention for groups that are


automatically named by DataPrivilege. Options are:

By folder and
permission ID

Group prefix for new


groups in Active
Directory (invalid
characters: / \ [ ] : ; |
=,+*?<>")

206

By folder and permission ID - Naming convention


is <prefix>--1-1

By logical path - Naming convention is Local1folder1-folder2 execute

By logical path (only managed folders) - If folder1


is not managed, the naming convention is Local1folder2-execute

When a new permission is created, a new group is


created automatically and attached to the permission.
This option enables you to set a prefix to the name of
such groups.
The group prefix is limited to 20 characters and
must not contain forbidden characters such as the
following: / \ [ ] : ; | = , + * ? < > "
This option is only relevant for By folder and
permission ID option of the Set naming convention for
group names option.

Proprietary and Confidential of Varonis

Default Value

Local Group

dp

Configuration

Field

Description

Default Value

Remove folders
from DataPrivilege
that were not found
in the last nightly
synchronization

Use this setting to determine how folders that


were deleted in the file system are handled in
DataPrivilege. Options are:

Mark the folder


as removed in
the file system,
but leave its
definitions in
DataPrivilege

Remove the folder and all its definitions from


DataPrivilege - Select this option to have deleted
folders removed from DataPrivilege as soon as the
nightly synchronization process fails to find them.

Mark the folder as removed in the file system, but


leave its definitions in DataPrivilege - Select this
option to keep the definitions of selected folders
in DataPrivilege if need be, even after they have
been deleted from the file system.

Automatically select
the Traverse option
on managed folders

By default, the Traverse option is selected


automatically during creation of managed folders. Set
this option to False to keep the Traverse option clear
during folder creation.

True

Set default owners


for unmanaged
groups

Select the users who will be owners of the


unmanaged groups in DataPrivilege. Once an owner
is assigned to an unmanaged group, the default
owners are no longer associated with the group.

None. Enter the


default owners
for unmanaged
groups separated
by semi-colons
in the following
format: domain
\username1;
domain
\username2,
etc.

Set policy for


assigning folder
owners/authorizers
as group owners/
authorizers on
permitted groups

Determine whether folder owners and authorizers can


be made group owners and authorizers of the groups
that are created when base or managed folders are
defined.

Do not allow

Grant traverse
permissions to
folders up to the
share level

By default, traverse permissions are granted only up


to the level of a base folders. Set this option to True
to enable Traverse permissions up to the level of the
share.

False

Hide all real direct


permissions on
folders

False

Hide users and


built-in groups
with real direct
permissions on
folders

False

General
The following settings are available in the General category:

Proprietary and Confidential of Varonis

207

DataPrivilege 5.9 User Guide

Field

Description

Default Value

Allow administrators
to view all requests
on the Summary
screen

Set this option to True to allow administrators to see


all requests in the My Requests pane. If it is set to
False, administrators see only the requests that are
actually assigned to them.

True

Note: Administrators can always see all requests


through the Advanced Search pane, regardless of
how this option is set.
Allow administrators
to view and edit
management
screens (you must
refresh the browser)

* Allow locations
to be deleted even
if they have base
folders

Ordinarily, administrators who are not owners may not


view or edit management screens. Use this option to
allow them to do so. Options are:

False

View only

View and edit

By default, users must manually remove all a


location's entities (i.e., folders and groups) before
deleting the location. Set this option to True to enable
deleting locations without first removing all their
entities.

View and edit

False

Caution: The organization's data is better protected if


this option is disabled (set to False).
Date format

From the drop-down list, select the preferred format


for dates.

MMMM dd, yyyy

Default page

Set the default opening page for DataPrivilege.

Home

Default search
expression

To simplify searches, set the default expression


operator to be used for all Active Directory searches.

Begins with

Allow approving or
declining a request
without providing an
explanation

Owners and authorizers must normally provide a


reason for their decision. Set this option to True to
allow them to approve or decline a request without
providing a reason.

False

Expand or collapse
Advanced pane in
requests

Determine whether the Advanced pane in request


wizard is expanded or collapsed by default.

Collapse

Exported file type:


CSV or XLS

Determine the file type to which logs, statistics and


advanced search results are exported.

CSV

Default number of
Determine the default number of rows displayed on
rows displayed on
pages containing tabular information. To ignore this
pages (0=ignore this setting, set it to 0.
setting)

Show license
information only to
administrators

Set to False to enable other roles to view


DataPrivilege license information.

True

Maximum number
of lines returned by
the auto-complete
search

Set the maximum number of values that can be


displayed by the auto-complete feature during a
search.

20

208

Proprietary and Confidential of Varonis

Configuration

Field

Description

Default Value

Number of
users allowed in
permission requests

Set the maximum number of users for which a


permission request can be created.

10

Number of users
allowed in group
membership
requests

Set the maximum number of users for which a


membership request can be created. If a group is
selected, it is treated as a single entity, regardless of
the number of users it contains.

10

Height of the printed Set the height of the printed page, in pixels (excluding
page in pixels
printed reports).
(excluding printed
reports)

864

Active Directory
property used for
displaying images

Set the Active Directory property used for displaying


images in the User Details window, if the organization
chooses to display such images.

Image

Display table
headers in tooltips

For each scrollable DataPrivilege grid that has a fixed


header, hovering the mouse over the column displays
the column header text in a ToolTip. Applies to use of
Internet Explorer only.

False

Disable Website
(this setting will take
effect 1 minute after
it is set)

Use this setting to shut down DataPrivilege


temporarily if necessary.

False

Default number of
days from the start
date to the end date
in the date filter
used in searches

30

Maximum auto rule


clauses

False

Default search
mode for users &
groups

Database

Allow Floor Support


to see everything
Administrators
can see on the
Summary and
Advanced Search
screens

False

Page size for


printing (excluding
reports)

864

Mail
The following settings are available in the Mail category:

Proprietary and Confidential of Varonis

209

DataPrivilege 5.9 User Guide

Field

Description

Default Value

Number of attempts
to send email

Determine the number of attempts DataPrivilege


makes to send email notification before declaring
failure.

Distribution list
(semicolondelimited) of
additional email
recipients for
DataPrivilege
messages

Define the email address to be used as a control


when DataPrivilege messages are sent. This address
is the one to which email is sent if the Additional email
recipients option is selected in the Send options for
request templates. Multiple addresses are separated
by a semi-colon (;).

* Number of emails
that can be sent in
bulk

Set the number of emails DataPrivilege can send in


each mailing cycle (every 5 minutes).

* SMTP password

The password of the SMTP server from which


DataPrivilege mail is sent.

Support recipient's
email address

The address to which email sent to Varonis Support is


sent.

* SMTP address

The IP address of the SMTP server from which


DataPrivilege mail is sent.

* SMTP port

The port used by the SMTP server from which


DataPrivilege mail is sent.

25

Use SSL for SMTP


connections

Set to use SSL encryption for SMTP connections.

False

*SMTP user

The user account that has access to the SMTP server


from which DataPrivilege mail is sent.

Enable mail auditing


(disable to prevent
adding new records
to the database)

By default, DataPrivilege does not store the email


it sends. System administrators can view this data
via the Mail Auditing Report. If this option is set
to False, email is not stored and the Mail Auditing
report displays only the data stored until the key was
changed.

* "From" email
address for email
sent by Varonis

The email address used in the From line on email sent


by Varonis

* "From" name
for email sent by
Varonis

The name used in the From line on email sent by


Varonis

Mail cleanup Number of days to


keep email sent by
DataPrivilege. To
disable cleanup, set
this option to 0.

Set the number of days to keep email sent by


DataPrivilege in the MailAuditing table. A nightly job
identifies records in this table that are older than the
specified number of days, and deletes them.

* Account for
processed email

The name of the account from which DataPrivilege


fetches processed email.

210

Proprietary and Confidential of Varonis

100

False

120 days

Configuration

Field

Description

Default Value

* Maximum number
of emails to process
at once

Set the maximum number of emails that can be


processed in each mailing cycle (every 5 minutes).

20

* Account password
for processed email

The password of the account from which


DataPrivilege fetches processed email.

* Port for processed


email

The port used by the account from which


DataPrivilege fetches processed email.

* Protocol for
processed email

The protocol DataPrivilege uses when fetching email


(POP3 or IMAP).

* Server for
processed email

The IP address of the processed email server from


which DataPrivilege reads email.

* Use SSL
encryption for email

Determines whether DataPrivilege email is SSLencrypted.

False

* Send email for


auto-approved
requests

Set this option to True to have DataPrivilege send


email notification for automatically approved requests.

False

POP3

Properties to Bind
The following settings are available in the Properties to Bind category:
Field

Description

Default Value

* Active Directory
property for display
name of users and
groups

Set the Active Directory property that determines how


user and group names appear in the Display Name
column in grids. Changes to this value only take effect
following the nightly synchronization and browser
restart.

cn

Active Directory
welcome property

The Active Directory property to use on the website


banner next to the Welcome text.

cn

Select the AD
property from
which users' email
addresses are
retrieved.

mail

Active Directory
property used for
displaying images

Image

Remote Services
The following settings are available in the Remote Services category:
Field

Description

Default Value

Enable API access


to DataPrivilege

DataPrivilege provides a robust API to enable creating False


membership and permission requests. If it is enabled,
any user may access the API; however, the usual
validations are executed on requests generated by the
API to ensure they were created only by authorized
users.
Proprietary and Confidential of Varonis

211

DataPrivilege 5.9 User Guide

Reports
The following settings are available in the Reports category:
Field

Description

Default Value

Maximum visible
entities in bar chart
report

Set the maximum number of entities for which results


can be displayed in bar charts.

20

Default number
of days from the
start to end dates
displayed in the
Request Date filter

Set the default number of days from the start to end


dates displayed in the Request Date filter on the
Search Request pages, for use with the Requests and
Authorizations report. The default value represents
the past number of days for which report results are
displayed. This option is set to the past 30 days by
default.

30

Custom CSS file


name (without .css
extension) for
RS2005

To use a custom CSS file to control the look and feel


of DataPrivilege reports, enter its name here (without
the .css extension).

Number of rows
after which results
are exported to a
CSV file

Reports that are especially large are automatically


exported to a CSV file, for performance reasons. This
key sets the number of rows after which report results
are exported to CSV. The report includes a link to the
Excel file.

1000000

Show "Include link"


option in reports

Set this option to True to include a link on the Report


screen to the location of the generated report on
the IDU Server. This link can be used from the
subscription email.

False

Directory of CSV
reporting created
files

Request Life Cycle


The following settings are available in the Request Life Cycle category:
Field

Description

Default
Value

Enable searching
by owner in the
membership
request wizard

Set this value to True to enable end users to search


for the requested group according to group owner.

False

Enable searching
by owner in the
permission request
wizard

Set this value to True to enable end users to search


for the requested folder according to data owner.

False

Method of
determining when
a request expires.
Absolute = Use
request creation

Use this key to define the way in which DataPrivilege


counts the days until request expiration. Options are:

ABSOLUTE

212

Absolute From the request's creation date

Relative From the date of the last approval.


Example:

Proprietary and Confidential of Varonis

Configuration

Field

Description

Default
Value

date, Relative = Use A request is created with an expiration of 3 days.


last approval date
Absolute After two days, an authorizer at level
1 approved it and it is waiting for an authorizer at
level 2. Its status will be changed to Expired on the
following day (day 3).

Relative - After two days, an authorizer at level 1


approved it. Two days later, authorizer 2 can still
approve it.

Include default
text in the Request
Reason area for
requests created
by the Enforce Rule
option

True

Enable
management
authorization

By default, all requests are delivered to the user's


manager (also known as Authorizer 0) for approval
before they are sent to the regular list of authorizers.
Set this option to False to skip management
authorization.

False

The ADProperties
column containing
the manager value

Set the Active Directory attribute by which to search


for the manager value for each user.

Manager

The ADProperties
column to which the
manager value is
compared

The Active Directory attribute that determines how the


manager value is parsed.

distinguishedName

Allow owner
to authorize
requests pending
to requestee's
manager

Sends notification to owners, presents requests to


owners and allows owners to authorize requests prior
to manager approval.

True

Statistics and Log/History


The following settings are available in the Statistics and Log/History
category:
Field

Description

Default Value

Directory statistics,
"Activity by Date"
- Maximum visible
records

Set the maximum number of visible records for


Activity by Date statistics on directories.

500

Directory
statistics, "Inactive
Directories" Maximum visible
records

Set the maximum number of visible records for


Inactive Directories statistics on directories.

500

Proprietary and Confidential of Varonis

213

DataPrivilege 5.9 User Guide

Field

Description

Default Value

Directory statistics,
Set the maximum number of visible records for Least
"Least Active Users" Active Users statistics on directories.
- Maximum visible
records

500

Directory statistics,
"Subdirectory
Statistics" Maximum visible
records

Set the maximum number of visible records for


Subdirectory Statistics statistics on directories.

500

Group statistics,
"Activity by Date"
- Maximum visible
records

Set the maximum number of visible records for


Activity by Date statistics on groups.

500

Group statistics,
"Directory
Utilization" Maximum visible
records

Set the maximum number of visible records for


Directory Utilization statistics on groups.

500

Log History, "Print"


- Maximum records
for printing

Set the maximum number of log records to be printed.

500

Customizing the Appearance of DataPrivilege


The appearance of DataPrivilege is fully customizable. You can create
a completely new look for your theme, or you can customize the classic
blue DataPrivilege theme as desired. The following UI elements can be
customized:

Themes

Page headers

Requests

Buttons

Navigational menus

Searches

Grids

Tabbed content

Dialog boxes

Other general elements

Selecting UI Themes
You can create a completely new look for your UI theme, or you can
customize the classic blue DataPrivilege theme as desired.
To select a UI theme:
214

Proprietary and Confidential of Varonis

Configuration

1. From the left menu bar, select Configuration > Appearance to go to


the Appearance pane.

Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. In the Theme area, select the type of theme you want to customize.
Options are:

Modern - The red/gray theme that is defined as the default in


DataPrivilege 5.6 and higher.

Classic - The original blue theme defined in previous versions of


DataPrivilege.

3. Customize the various elements of the theme, using the links under
Categories.

Deploying UI Themes
To deploy a UI theme:
1. From the left menu bar, select Configuration > Appearance to go to
the Appearance pane.

Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. Hover the mouse cursor over the name of the theme and click the
Deploy link when it is displayed.

The theme is deployed.

Proprietary and Confidential of Varonis

215

DataPrivilege 5.9 User Guide

Previewing Customized Themes


To preview a UI theme:
1. From the left menu bar, select Configuration > Appearance to go to
the Appearance pane.

Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. To preview your customized theme, hover the mouse cursor over the
name of the theme and click the Preview link when it is displayed.

The customized theme is displayed.


3. To stop the preview and return to the customization screen, hover the
mouse cursor over the name of the theme and click the Stop preview
link when it is displayed.

The customization screen is displayed again.

Cloning Themes
You can easily clone a theme you have customized and save it under a new
name.
To clone a theme:
1. From the left menu bar, select Configuration > Appearance to go to
the Appearance pane.

216

Proprietary and Confidential of Varonis

Configuration

Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. Hover the mouse cursor over the name of the theme and click the Clone
link when it is displayed.

The Cloned Theme Name dialog box is displayed.


3. Type a name for the new theme.
4. Click OK.
The cloned theme is added to the Themes list.

Deleting Customized UI Themes


You can only delete your own themes. You cannot delete the Modern and
Classic themes, which are provided out of the box with DataPrivilege.
To delete a UI theme:
1. From the left menu bar, select Configuration > Appearance to go to
the Appearance pane.

Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. Hover the mouse cursor over the name of the theme and click the X link
when it is displayed.

Proprietary and Confidential of Varonis

217

DataPrivilege 5.9 User Guide

The theme is deleted.

Customizing the User Interface


To customize the UI:
1. From the left menu bar, select Configuration > Appearance to go to
the Appearance pane.
2.
3. Under Categories, select the item you want to customize.
4. Set the following attributes as relevant:
IMPORTANT: You must save each attribute as you define it. If you set
several attributes at once without saving them, they are reset when you
click Save for one of them.
The following items can be customized:

Headers
Note: The size of the logo image must be:

Width: 145 pixels

Height: 51 pixels

Requests

Buttons

Navigational menus

General elements, including the style used for reports

Search components

Grid

Tabbed content

Dialog boxes

Customizing the Navigational Menus


You can customize a number of elements in the navigational menus,
including the menu text and the access permissions available for each menu
element.
To customize navigational menus:
1. From the left menu bar, select Configuration > Navigational Menus to
go to the Navigational Menus pane.

218

Proprietary and Confidential of Varonis

Configuration

2. For each category, do the following:


a. Type the name to appear as the menu entry in the UI. For example,
you might change the name of the Home tab to Home Page.
b. Select the roles that are to have access to this menu item. For
example, you might decide that only group owners and authorizers
can create membership requests. To implement this, clear all the
other roles under Menu Options > Membership Requests and
leave only Group Owners and Group Authorizers selected for this row.
3. To reset all your changes at once, click Reset.
4. Click Save.

Customizing and Configuring DataPrivilege Mail


You can easily customize the header, footer and body of email sent by
DataPrivilege.
To customize the appearance of DataPrivilege email:
1. From the left menu bar, select Configuration > Mail Appearance to go
to the Mail Appearance pane.

Proprietary and Confidential of Varonis

219

DataPrivilege 5.9 User Guide

Note: The image at the top of this screen is for illustration purposes only.
It is static and will not change according to customization.
2. In the Header area, set the email header as required:
a. To select the required background color, click the colored square or
type its hexidecimal value in the field.
b. To set the alignment of content in the left pane, select the required
option from the Align drop-down list.
c. To set an image in the left pane:
i. Select the Image option.
ii. Click the Browse button to select the required image.
d. To set text in the left pane:
i. Select the Text option.
ii. Enter the required text in the field.
iii. Set its font, size and color as required.
e. To set the center and right panes, repeat the above steps.
3. In the Body area, set the email body as follows:
a. To select the required background color, click the colored square or
type its hexidecimal value in the field.
b. Set the font, size and color for the three types of text: regular,
emphasized and linked.
4. In the Footer area, set the email footer as follows:
a. To select the required background color, click the colored square or
type its hexidecimal value in the field.

220

Proprietary and Confidential of Varonis

Configuration

b. In the Text field, type the boilerplate text to appear at the bottom of
emails, and set its font, size and color.
5. To preview your customization, click Preview.
6. To apply your customization, click Apply.
7. To cancel your customization, click Cancel.
8. To reset your customization, click Reset.

Customizing Request Notifications


You can customize the content of notifications regarding permission
requests and group membership requests as needed.
To customize DataPrivilege request notifications:
1. From the left menu bar, select Configuration > Mail Configuration to
go to the Mail Configuration pane.
2. Select the relevant tab, either Permission Requests or Group
Membership Requests.

This screen displays several elements for each of the following


notification types:

Request made - A notification informing the selected users that a


request has been made. Information includes the type of request, the
entity for which the request was made, the user on whose behalf it
was made, and the user who created the request.

Request handled - A notification informing the selected users that a


request has been handled. Information includes the type of request,
the entity for which the request was made, the user on whose behalf it
was made, and the user who created the request.
Proprietary and Confidential of Varonis

221

DataPrivilege 5.9 User Guide

Request summary - A notification summarizing a particular request,


including its resolution and the user who made the decision.

3. Under the type of notification you are configuring (request made, request
handled or request summary), set the following elements:

Send options - Select the roles that can receive email from
DataPrivilege regarding requests.

Subject - Select the checkbox and click Edit to create a customized


subject line for emails. Use any of the key placeholders you need to
create the template.

Text at top of message - Select the checkbox and click Edit to create
boilerplate text that appears in the header of the email.

Text at bottom of message - Select the checkbox and click Edit to


create boilerplate text that appears in the footer of the email.

Custom HTML formatting - Select the checkbox and click Edit to


upload a file that DataPrivilege can use as an HTML template for
the email. DataPrivilege scans the file for keywords and substitutes
request data for the keywords. Aside from replacing the keywords with
data, DataPrivilege does not make any other changes to the file.

Allow approve via reply - If a processed mail server is defined in


Application Settings, select the checkbox to allow approving requests
by replying to the email.

Send reminder - Use the drop-down lists to set the frequency at which
reminders are sent to recipients.

Expiration time - Set the number of days after which the request will
expire if the recipients do not take any action.

Expiration action - Set the action to be taken on the request after it


expires.

4. To preview the email, click Preview.


5. To export the template to HTML, click Export and select the location at
which you want to save the template.
6. Click Apply.

Customizing Entitlement Review Notifications


You can customize the content of notifications regarding entitlement reviews
as needed.
To customize entitlement review notifications:
1. From the left menu bar, select Configuration > Mail Configuration to
go to the Mail Configuration pane.
2. Select the Entitlement Review tab.

222

Proprietary and Confidential of Varonis

Configuration

3. Under the type of notification you are configuring (ER initiated or ER


completed), set the following elements:

Send options - Select the roles that can receive email from
DataPrivilege regarding entitlement reviews. Recipients receive only
one email regarding entitlement review requests, which provides a link
to the summary page.

Subject - Select the checkbox and click Edit to create a customized


subject line for emails. Use any of the key placeholders you need to
create the template.

Text at top of message - Select the checkbox and click Edit to create
boilerplate text that appears in the header of the email.

Text at bottom of message - Select the checkbox and click Edit to


create boilerplate text that appears in the footer of the email.

Custom HTML formatting - Select the checkbox and click Edit to


upload a file that DataPrivilege can use as an HTML template for
the email. DataPrivilege scans the file for keywords and substitutes
request data for the keywords. Aside from replacing the keywords with
data, DataPrivilege does not make any other changes to the file.

Send reminder - Use the drop-down lists to set the frequency at which
reminders are sent to recipients.

Expiration time - Set the number of days after which the request will
expire if the recipients do not take any action.

Expiration action - Set the action to be taken on the request after it


expires.

4. To preview the email, click Preview.


5. To export the template to HTML, click Export and select the location at
which you want to save the template.
6. Click Apply.

Proprietary and Confidential of Varonis

223

DataPrivilege 5.9 User Guide

Customizing Confirmation Notifications


You can customize the content of notifications regarding confirmation emails
as needed.
To customize entitlement review notifications:
1. From the left menu bar, select Configuration > Mail Configuration to
go to the Mail Configuration pane.
2. Select the Confirm Template tab.

3. Set the following elements:

Subject - Select the checkbox and click Edit to create a customized


subject line for emails. Use any of the key placeholders you need to
create the template.

Text at top of message - Select the checkbox and click Edit to create
boilerplate text that appears in the header of the email.

Text at bottom of message - Select the checkbox and click Edit to


create boilerplate text that appears in the footer of the email.

Custom HTML formatting - Select the checkbox and click Edit to


upload a file that DataPrivilege can use as an HTML template for
the email. DataPrivilege scans the file for keywords and substitutes
request data for the keywords. Aside from replacing the keywords with
data, DataPrivilege does not make any other changes to the file.

4. To preview the email, click Preview.


5. To export the template to HTML, click Export and select the location at
which you want to save the template.
6. Click Apply.

Customizing Notifications for Exported Permissions


224

Proprietary and Confidential of Varonis

Configuration

You can customize the content of email notifications regarding exported


permissions as needed.
To customize notifications for exported permissions:
1. From the left menu bar, select Configuration > Mail Configuration to
go to the Mail Configuration pane.
2. Select the Export Template tab.

3. Set the following elements:

Subject - Select the checkbox and click Edit to create a customized


subject line for emails. Use any of the key placeholders you need to
create the template.

Top boilerplate text - Select the checkbox and click Edit to create
boilerplate text that appears in the header of the email.

Bottom boilerplate text - Select the checkbox and click Edit to create
boilerplate text that appears in the footer of the email.

Custom HTML formatting - Select the checkbox and click Edit to


upload a file that DataPrivilege can use as an HTML template for
the email. DataPrivilege scans the file for keywords and substitutes
request data for the keywords. Aside from replacing the keywords with
data, DataPrivilege does not make any other changes to the file.

4. To preview the email, click Preview.


5. To export the template to HTML, click Export and select the location at
which you want to save the template.
6. Click Apply.

Customizing Request Fields


You can add and edit fields for permission and membership requests as
needed.
Note: Predefined fields, provided out of the box, cannot be changed in any
way.
To customize request fields:
Proprietary and Confidential of Varonis

225

DataPrivilege 5.9 User Guide

1. From the left menu bar, select Configuration > Customized Request
Fields to go to the Customized Request Fields pane.
The currently defined request fields are displayed on two tabs,
Permission Requests and Group Membership Requests.

2. Select the tab for the type of request for which you want to create a new
field.
3. To create a new custom field, click Add.
The Customized Request Field dialog box is displayed.

4. Set the following properties for the new field:

226

Field name - The name of the new field. The name can include up to
250 characters and must be unique.

Proprietary and Confidential of Varonis

Configuration

Description - A description of the new field. You can drag the lower
right corner of the description box to enlarge it.

Field order - The order in which the field is displayed. The order of the
predefined fields cannot be changed; however, customized fields can
be displayed in between predefined fields.

Field is mandatory - Select the check box to make the field mandatory.

UI control - From the drop-down list, select the control object that will
represent the field. This choice determines the remaining properties to
be defined for the field. Options are:

Text box - Select to make the new field an editable text box,
suitable for character, numeric, and date/time data. Set the
following properties:

Maximum number of characters - The top limit is 1000.

Text area - Select to make the new field a text area, which is
similar to a text box but with multiple lines. Set the following
properties:

Number of lines - Set the number of lines available in the text


area. The top limit is 20.

Maximum number of characters - The top limit is 1000.

Drop-down list - Select to make the new field a drop-down list.


1. In the top box, type the required text values for the drop-down
list. Separate multiple text values with a semicolon (;).
2. Click Add to move the values to the bottom box.
3. In the bottom box, select each value in turn and use the arrow
keys to set the order in which they are displayed.

5. Click OK.
The field is added to the relevant request type.

6. Click Preview to see the request type with all fields, both predefined and
customized.

Proprietary and Confidential of Varonis

227

DataPrivilege 5.9 User Guide

228

Proprietary and Confidential of Varonis

Appendix A. Customized Permission


Masks
Use the following masks to customize permission types as necessary:
Permission
Mask

Translation

Hexadecimal
Value

Create File (special)

Create Folder (special)

65536

Delete (special )

10000

131209

Read (special)

20089

190754

Write + execute + Delete

2E922

262144

Change Permission (special )

40000

327680

Change Permission + Delete (special)

50000

524288

Take Ownership

80000

589824

Take Ownership + Delete (special)

90000

655489

Execute + Change permissions (special)

A0081

786432

Take Ownership + Change Permission (special)

C0000

851968

Delete + Permission + Ownership (special )

D0000

983551

Deny

F01FF

1048854

Write (special)

100116

1179785

Read (special )

120089

1179808

Execute (special)

1200A0

1179817

List

1200A9

1179926

Write (special)

120116

1180063

Write + Read (special)

12019F

1180086

Add

1201B6

1180095

Add + Read

1201BF

1186479

Write + Delete (special)

121AAF

1245321

Read + Delete (special)

130089

1245344

Execute + Delete (special)

1300A0

1245599

Write + Read + Delete (special)

13019F

1245631

Change

1301BF

Proprietary and Confidential of Varonis

229

DataPrivilege 5.9 User Guide

Permission
Mask

Translation

Hexadecimal
Value

1441929

Read + Change Permission (special)

160089

1441961

Read + Execute + Permission (special)

1600A9

1442070

Write + Change Permission (special)

160116

1507775

Read + Write + Execute + Delete + Permission


(special)

1701BF

1704073

Read + Take Ownership (special)

1A0089

1704096

Take Ownership + Execute (special)

1A00A0

1704214

Write + Take Ownership (special)

1A0116

1769641

Read + Execute + Delete + Ownership (special)

1B00A9

1769750

Write + Delete + Ownership (special)

1B0116

1769887

Read + Write + Delete + Ownership (special)

1B019F

1769910

Write + Execute + Delete + Ownership (special)

1B01B6

1769919

Read + Write + Execute + Delete + Ownership


(special)

1B01BF

1966217

Change + Read + Ownership (special)

1E0089

1966240

Execute + Permission + Ownership (special)

1E00A0

1966249

Read + Execute + Permission + Ownership (special)

1E00A9

1966358

Write + Permission + Ownership (special)

1E0116

1966495

Write + Read + Permission + Ownership (special)

1E019F

1966518

Write + Execute + Permission + Ownership (special)

1E01B6

1966527

Read + Write + Execute + Permission + Ownership


(special)

1E01BF

2031753

Read + Delete + Permission + Ownership (special)

1F0089

2031785

Read + Execute + Delete + Permission+ Ownership


(special)

1F00A9

2032031

Read + write + Delete + Permission + Ownership


(special)

1F019F

2032054

Write + Execute + Delete + Permission + Ownership


(special)

1F01B6

2032063

All (special )

1F01BF

2032127

Full Control

1F01FF

20331776

Execute + Delete + Permission + Ownership (special)

1363D00

268435456

Full Control

10000000

230

Proprietary and Confidential of Varonis

Appendix B. DataPrivilege Filters


Note: Filters that can return null should be used with care. When a filter is
added using the and operator and returns null, no data is displayed in the
report.
Filter Name

Description

Approval Requests

Filters the results according to the number of approved requests (for folders and
groups).

Approved Date

Filters the results according to the specified period of time.

Authorizer/Owner

Filters the results according to the specified authorizer or owner.

Denied Requests

Filters the results according to the number of denied requests (for folders and
groups).

Domain Name

Filters the results according to the specified domain.

Enforcement

Filters the results according to whether a rule is enforced or not.

Entity Type

Filters the results according to whether the entity is a group or a folder.

Explanation

Filters the results according to the specified explanation, which was added by an
owner or authorizer when a request was handled.

Group

Filters the results according to the specified group name.

Group/Direct User

Filters the results according to the specified group or user.

Group Location

Filters the results according to the logical group locations defined in DataPrivilege.
Note: If no logical group locations have been defined, this filter cannot be used.

Managed Permissions

Filters the results according to folders that have permissions for the specified
managed group.

Management Status

Filters the results according to whether the entity is managed or unmanaged.

Member (Group/User)

Filters the results according to the selected member (user or subgroup).

Operation Type

Filters the results according to the specified operation type, which can be one of
the following:

Grant

Revoke

Both

Revoke all

Owner

Filters the results according to the specified owner.

Path

Filters the results according to the specified pathname.

Permission

Filters the results according to automatic rules that grant the specified
permissions.

Rec Date

Filters the results according to the specified period of time.

Proprietary and Confidential of Varonis

231

DataPrivilege 5.9 User Guide

Filter Name

Description

Relation Domain Name

Filters the results according to entities (folders and groups) that have changed in
the specified domain.

Request By

Filters the results according to requests created by the specified user.

Request Date

Filters the results according to a specified period of time, during which the
requests were created.

Request For

Filters the results according to requests created for the specified user.

Request ID

Filters the results according to the specified request ID.

Request Op. Type

Filters the results according to the requested operation type, which can be one of
the following:

Grant

Revoke

Approve

Create

Request Status

Filters the results according to the specified request status.

Request Type

Filters the results according to the specified request type.

Requested Folder

Filters the results according to requests created for the specified folder.

Requested Group

Filters the results according to requests created for the specified group.

Role/Role Type

Filters the results according to the specified role type, which can be one of the
following:

Group owner

Group authorizer

Folder owner

Folder authorizer

Folder rule authorizer

Group rule authorizer

Rule Name

Filters the results according to the specified rule name.

Rule Status

Filters the results according to the specified rule status, which can be one of the
following:

Enabled

Disabled

Sent To

Filters the results according to emails sent to the specified user.

Signed Date

Filters the results according to the specified period of time during which
entitlement reviews were signed.

Signed Notes

Filters the results according to the specified signed notes (reasons and
explanations).

Status

Filters the results according to the specified status of a request created by an


automatic rule. The status can be one of the following:

232

Pending

Complete

Error

Proprietary and Confidential of Varonis

DataPrivilege Filters

Filter Name

Description

Status (Mail Auditing)

Filters the results according to the status of an email, which can be one of the
following:

Status Type

Waiting to be processed

Email waiting to be sent

Processing error

Sent

Failed to send email

Filters the results according to the specified status type of an automatic rule,
which can be one of the following:

Approve

Decline

Subject

Filters the results according to the specified email subject line.

Time Stamp

Filters the results according to the specified period of time.

Total Requests

Filters the results according to the specified number of requests made for the
folder or group.

Unique/Protected

Filters the results according to whether or not the folder has unique or protected
permissions.

Unmanaged Permissions

Filters the results according to folders that have permissions for the specified
unmanaged user or group.

User/User Name

Filters the results according to the specified user name.

Proprietary and Confidential of Varonis

233

You might also like