DataPrivilege Operation and Administration Lab Guide
Uploaded by
Troy ReppertDataPrivilege Operation and Administration Lab Guide
Uploaded by
Troy ReppertDataPrivilege Operation and
Administration
Varonis Training Lab
Lab Instructions
DataPrivilege 6.4.56.70
For assistance please contact [email protected]
Data Governance Suite
Contents
LAB OVERVIEW ............................................................................................................................................ 4
LAB 1: Administrator – Configuring the Domain for dp ................................................................................. 7
LAB 2: Administrator - Advanced Administration .......................................................................................... 9
Understand and configure the “Excluded Groups” section........................................................................................9
Understand and configurING the “Permission Types” section ................................................................................. 13
Understand and configure the “User Roles” section ............................................................................................... 16
LAB 2: Administrator - Administration........................................................................................................ 17
Understand and configure the “Base Folders” section ............................................................................................ 17
Understand and configure the “Groups” section .................................................................................................... 30
LAB 3: Administrator - Configuration ......................................................................................................... 36
Understand and configure the “Mail Configurations” section ................................................................................. 36
Understand and configure the “Mail Appearance” section ..................................................................................... 42
Understand and configure the “DataPrivilege Appearance” section........................................................................ 46
Understand and configure the “navigational menu” section ................................................................................... 49
Understand and configure the “Application Settings” section ................................................................................. 52
Understand and configure the “AD Properties” section .......................................................................................... 56
LAB 4: Administrator - Management .......................................................................................................... 57
Understand the “Management” section ................................................................................................................ 57
LAB 5: Data and Group Owner Functionality .............................................................................................. 60
Understand the management tab and options for directory owner ........................................................................ 60
Understand the management tab and options for Group Owners........................................................................... 67
LAB 6: Authorizer Functionality .................................................................................................................. 69
Understand the management tab and options for directory authorizer .................................................................. 69
Understanding the management tab and options for group authorizer................................................................... 71
LAB 7: End User Functionality..................................................................................................................... 72
Permission request ............................................................................................................................................... 72
Permission Approval Process ................................................................................................................................. 75
Membership request............................................................................................................................................. 77
Membership approval ........................................................................................................................................... 80
LAB 8: Understanding the Summary Screen ................................................................................................ 82
Data Governance Suite
Understanding the Summary Screen...................................................................................................................... 82
LAB 9: Building an Authorization Workflow for permissions/group membership authorization ................... 85
Build an Authorization Workflow process for permissions ...................................................................................... 85
LAB 10: Building an Ethical Wall................................................................................................................102
Building an Ethical Wall ....................................................................................................................................... 102
LAB 11: Building an Entitlement Review ....................................................................................................108
Build an Entitlement Review ............................................................................................................................... 108
LAB 12: Using the DataPrivilege search capabilities...................................................................................118
Using the DataPrivilege search capabilities .......................................................................................................... 118
LAB 13: Configuring common DataPrivilege reports ..................................................................................120
Configure and customize common Varonis DataPrivilege reports ......................................................................... 120
Data Governance Suite
LAB OVERVIEW
The following labs were developed to assist anyone requiring an understanding and configuration procedure for
DataPrivilege and its components. Each Lab provides the exact procedure to understand and configure
• DataPrivilege for Windows
ACCESSING THE VIRTUAL TRAINING ENVIRONMENT
1. Navigate to https://certification-labs.varonis.com
Note: Varonis employees cannot use this link to access the virtual training environment.
Varonis employees should use http://se-labs.varonis.com/ to access the labs.
2. Sign in using your partner login credentials. These credentials are the same credentials you used to login to
https://partneredu.varonis.com
3. On the left-hand side, select “New Environment”
Data Governance Suite
4. Choose a name for your environment. In this case, I have named it “Basic DatAdvantage Install Certification”
a. Select a template that you want to deploy. The template name is identical to the course that you
signed up for. In this case, I am deploying the “DatAdvantage Basic Installation Lab” template.
b. Select a region that you would like to deploy the template in. Please select the region that is closest to
your location. I am in the United States, so I will be deploying the template in “East US 2”.
c. Choose a window that the lab will be available for. Make sure that you select the appropriate
time zone for your location. I would like my lab to be available from 9 AM – 5 PM EST.
d. Click “Create” once you have filled all the sections out.
5. Click the check button to confirm your selection.
6. A request will be sent to the Varonis Partner team that will need to be approved before your
environment is deployed. You will receive an email once the request has been approved and your
environment has been deployed.
7. Once your environment has been deployed, you will see the environment if you click on “Environments” on the
left-hand side. The status of the environment will say “Up” if it is ready to be used.
Data Governance Suite
8. Click on the environment that you just deployed. A panel will appear on the right-hand side. For this specific
template, there are 4 different machines that will be used. Each machine is designated by name. For example,
there is an IDU, Filer, Collector and Domain Controller.
9. Each machine has three action buttons. Connect, stop and restart.
a. Connect – Opens a new tab in your browser and opens a RDP connection to the selected server.
b. Stop – Turns off the virtual machine
c. Restart – Restarts the virtual machine
*Note: The connect button functions differently for Varonis employees. Clicking “Connect” will
download a link to an RDP session for the machine you selected. You will then have to enter the
username/password for the machine to connect. The username for all machines is
“vrnslab\itadmin” and the password is “P@ssword1!”.
10. If you do not finish the lab in the time period that you selected when deploying the environment, the
environment will shut down. You have the option to restart the lab the next day and pick up from the previous
spot you stopped at by selecting the “Start” option.
Data Governance Suite
LAB 1: ADMINISTRATOR – CONFIGURING THE DOMAIN FOR DP
Learning Objectives:
Learn how to configure the domain for DP.
Overview: The goal of this lab is to understand how to configure commit credentials for DP and the Group OU that
groups will be created in.
Outcome: The domain will be configured so the groups that are created within DP will be created in a separate OU.
Before opening the DP portal, it’s important to configure the domain commit credentials and the Group OU that groups
will be created in. For the purpose of this lab, the OU in Active Directory has already been created. In DP 6.3 and
above, the domain is configured within the management console.
1. Connect to the machine “IDUxxxxx”. Open the Varonis Management console on the desktop.
2. Go to “Domains” and then highlight the domain that is configured in the Management Console and click “Edit”.
Data Governance Suite
3. Click “Commit” on the left hand side.
4. Here is where the Domain Commit Credentials and the Group OU are configured for DP. By default, DP will use
the account that was used to setup the domain when Varonis was installed. The only requirement for this
account is it must be a member of the administrators group. The Group OU is where all groups will be created
once they are created in DP. As you can see, an OU called “DP” was created for this lab. Review the settings
and click “cancel”.
You have successfully configured the Domain for DP.
Data Governance Suite
LAB 2: ADMINISTRATOR - ADVANCED ADMINISTRATION
Learning Objectives:
Learn how to configure the “Advanced Administration” section in DataPrivilege.
Overview: The goal of this lab is to understand the available configuration options and to configure the settings of
DataPrivilege in the “Advanced Administration” section.
Outcome: The “Advanced Administration” menu allows access to DataPrivilege configuration options. The menu
provides workflow options to administer user roles, define permission types and exclude groups from the DataPrivilege
workflow. At the end of this lab you will have understood and configured the settings of the DataPrivilege “Advanced
Administration” menu.
UNDERSTAND AND CONFIGURE THE “EXCLUDED GROUPS” SECTION
The “Exclude Groups” option allows you to add one or more groups to be filtered out from view for Users, Owners &
Authorizers in DataPrivilege. This Excluded Group will not be provided access to any resource or group within DP. In
the following section you will configure one excluded group.
1) Open the DataPrivilege portal by clicking on “Firefox” on the desktop.
Data Governance Suite
2) A security dialog box will appear. Enter “vrnslab\itadmin” as the user name and “P@ssword1!” as the
password.
3) First click on the “Excluded Groups” option on the left menu panel under “Advanced Administration” and then
on “Add”
Data Governance Suite
4) Then press the “…” button for searching for a group you want to exclude.
Data Governance Suite
5) For the example we are using the “Admins Domain” group. In most cases users are not aware that domain
administrators have rights to their folder. We tend to exclude them from from DataPrivilege to avoid owners
from removing their permissions. In our lab environment, we use the group “Admins Domain”. Type in the
name of the Admins Domain group and press “Search”. Click on the “Admins Domain” group to select it, and
then press “OK”.
6) To exclude the group you will need to click “Add” and then click “OK”
Data Governance Suite
7) The Admins Domain group has been successfully excluded. You can repeat this for each user or group you
would like to exclude in DataPrivilege.
UNDERSTAND AND CONFIGURING THE “PERMISSION TYPES” SECTION
The “Permission Types” option allows you to modify add remove permissions from DataPrivilege.
1) First click on the “Permission Types” option on the left menu panel. You will see the built-in list of default
permissions available. Click the “i” information button next to the Full permissions option
Data Governance Suite
2) Within the Permission Type window, you have the option to set an Alias for the permission. There are
additional options within this window as well:
Is Monitored > If the permission type is monitored, it will be detected and available for use, if it is not
monitored, it will be hidden from use
Can be used for new permissions > Allows this permission to be commited to the file system if used
Visible > This option will allow all users of DataPrivilege to view this permission set if it is an option on a
folder
Type ‘ALL YOU NEED’ into the Alias field, and click OK to close out of the window
Data Governance Suite
3) From the Permission Types window, you also have the ability to define a new permission type for use with
DataPrivilege. Click on the Add button.
4) In addition to the existing permission types, you will now have the ability to choose the inheritance level for a
newly created permission type. Also you can define a SPECIAL permission if you specify the permission mask.
Please note that a permission type name is unique and can exist only once in DataPrivilege.
In the Permission type name box, enter Write Only, and in the Alias box, enter Blind Write. Below, in the
Apply onto section, click the down arrow and select “This folder, subfolders and files” option, and then place a
check in the box next to Write. Place a check the boxes in this order: Is monitored, Can be used for new
persmissions and then Visible. Click “OK”.
Data Governance Suite
5) This will now create a new Write Only permission type that can be appled to folders within DataPrivilege
UNDERSTAND AND CONFIGURE THE “USER ROLES” SECTION
The “User Roles” section allows you to configure DataPrivilege System Administrators and Request Supervisor users.
Please follow the steps to understand the “User Roles” section in this lab.
1) First click on the “User Roles” option. Additional user roles can be added by clicking the Add button. This step
does not need to be performed during this lab. The two available types of User Roles are:
• A System Administrator can configure and see all options.
• A Request Supervisor Role can only view items in DataPrivilege – This role is typically assigned to
Help Desk individuals so they have the ability to check on the status of any pending requests.
2) Click Cancel to return to the main DataPrivilege window.
Data Governance Suite
LAB 2: ADMINISTRATOR - ADMINISTRATION
Learning Objectives:
Understand how to configure the “Administration” section in DataPrivilege.
Overview: The goal of this lab is to understand the available configuration options and to configure the basic
settings of DataPrivilege in the “Administration” section. The Administration section includes the ability to assign
ownership to Active Directory security groups and also add and managed shared folders as well.
Outcome: At the end of this lab you will have understood and configured the basic settings of DataPrivilege
“Administration” menu:
• Base Folders – Configured folders to which people can request access
• Groups – Assigned owners to AD Security Groups for management
UNDERSTAND AND CONFIGURE THE “BASE FOLDERS” SECTION
The Base folders section allows you to define shared folders that are available to end users within DataPrivilege.
Within this area you will have the ability to define folder owners along with permission sets that will allow access to
these shared folders. End users will then have the ability to request access these folders via the Permission Requests
tab once it has been configured.
1) Expand the Administration section on the left hand side and click the Base Folders link. In the right section,
you will see the Lab server defined already. Select the default location and click on the Add Location button
below.
Data Governance Suite
2) In the Location Name box, type in Finance. Click OK
3) In order to see the Finance group appear under Lab, please press the "+” icon to view the nested locations as
seen below.
4) Repeat step 2 and 3 and create a Location for HR and Marketing
5) Place a check next to the Finance location, and remove the Check next to DP, and then click the Add Folder
button below.
Data Governance Suite
6) The Add Base Folder Wizard will appear. Click the “…” button under the Select Folders section.
7) Click the Search Hosts button and HUB-IDU will appear in the window. Click the + sign next to the root folder
to expand the tree. Click the + sign next to Share and finally, click on the Finance folder to select it, and then
click OK
Data Governance Suite
8) You will now see the path to the share listed in the Select Folders section. Click the Add button
9) The path to the share will now appear in the section below. You will have the option to manage existing
permissions on the directory or to have DataPrivilege create new permissions for this location. Under the New
Permissions section, place a check in the boxes next to Read and Write. DataPrivilege will automatically fill in
a generic group name. In the space provided next to Read, delete the generic permission names and fill in
LAB-FINANCE-R-R for Read. In the space provided next to Write, delete the generic permission names and
fill in LAB-FINANCE-RW-RW for Write). NOTE: If you copy and paste the group names into the lab,
please be sure to delete any trailing spaces to avoid errors.
Data Governance Suite
10) If you want to allow users being added directly to the ACL on a folder, instead of forcing them to be part of a
security group, place a check in the “Allow direct permissions” box. For purposes of this lab, we will leave this
option unchecked.
11) Place a check in the box next to “Bypass Group Authorization” and click Next.
Note: Administrators may choose to exclude groups from the data authorization process if membership
authorization for the relevant group is not required for data authorization)
12) You will now be presented with the Data Owner selection screen. This screen is used to select the Data Owner
of the base folder configured above – the Finance folder. Click the “Add User” link underneath Users
Data Governance Suite
13) In the search box, enter the user’s name, Erin and click the search button. Place a check in the box next to
Erin Manning and click the OK button
14) You will now see Erin’s name in the window. Check the box under “Owner” to make her an owner of the
folder. Click on the Next button
Data Governance Suite
15) You will now see the Summary window indicating that all selected folders were processed successfully. Click
on the Finish button.
16) You will now be back at the Base Folders section. Expand the Finance location and click on the Finance folder
in order to verify that Erin is the data owner. Note: You may need to refresh the page for this to show.
Data Governance Suite
17) Deselect the Finance folder and click on the HR location, and then click the Add Folders button below.
18) You will see a new Add Base Folders Wizard appear. Click the “…” button next to Select Folders
Data Governance Suite
19) Click the Search Hosts button and HUB-IDU will appear in the window. Click the + sign next to the folder to
expand the tree. Click the + sign next to Share and finally, place a check in the box next to HR. Click OK
20) You will now see the path to the share listed in the Select Folders section. Click the Add button
Data Governance Suite
21) The path to the share will now appear in the section below. You will have the option to manage existing
permissions on the directory or to have DataPrivilege create new permissions for this location. Under the New
Permissions section, place a check in the boxes next to Read and Write. DataPrivilege will automatically fill in
generic group names. In the space provided, delete the generic permission names and fill in new names
(LAB-HR-R-R for Read, and LAB-HR-RW-RW for Write). NOTE: If you copy and paste the group names
into the lab, please be sure to delete any trailinrg spaces to avoid errors. Do not place a check in the
box next to Allow direct permissions. Also place a check in the box next to Bypass Group Authorization. Click
Next
22) You will now be presented with the Data Owner selection screen. This screen is used to select the Data Owner
of the base folder configured above – the HR folder. Click the” Add user” link underneath users
Data Governance Suite
23) In the search box, enter the user’s name, Erin and click the search button. Click on Erin Manning’s name and
then click the OK button
24) You will now see Erin’s name in the Select Data Owners window. Check the box under “Owner” to make her an
owner of the folder. Click on the Next button
Data Governance Suite
25) You will now see the Summary window indicating that all selected folders were processed successfully. Click
on the Finish button.
26) You will now be back at the Base Folders section. Expand the HR location and select the HR folder in order to
verify that Erin is the data owner.
Data Governance Suite
27) Deselect the HR folder and click on the Marketing location. Repeat the above steps for the Marketing folder.
The group used for Read permissions should be “LAB-MARKETING-R-R” and the group for write permissions
should be “LAB-MARKETING-RW-RW”. Add Michael Lewis as the Data Owner.
Data Governance Suite
UNDERSTAND AND CONFIGURE THE “GROUPS” SECTION
The groups section allows you to assign a data owner to an Active Directory security group. End users will then be
able to request to be members of these security groups
1) Under the Administration section, click on the Groups link. Select the LAB-Finance-R-R group, then click the
Add button under the Group Owners section
2) A Users Search window will appear. Click the “…” to bring up the search window.
Data Governance Suite
3) In new screen, type Erin into the box and click Search. Erin Manning will appear below. Place a check next to
her name and click the OK button
Data Governance Suite
4) You will see Erin’s name in the User Search box. Click the Add button.
5) This will move Erin’s name to the lower section. Place a check in the box next to “Add selected users as
authorizers” and click OK
Data Governance Suite
6) You will now see Erin’s name listed as an owner for the LAB-Finance-R group
7) Place a check in the box next to Lab-Marketing-R-R and Lab-Marketing-RW-RW, then click the Add button to
the right under the Group Owners section
8) A User Search box will come up. Click the “…” icon to bring up a search window.
Data Governance Suite
9) Within the Search window, type in the name Michael and click the serach button. Place a check next to
Michael Lewis then click OK
10) Michael’s name will appear in the top User Search window. Click the Add button to move him to the lower
section.
Data Governance Suite
11) Once Michael appears in the lower section, place a check in the box next to Add selected users as authorizers
and click OK
12) Michael Lewis is now assigned as an owner and authorizor for both Marketing security groups
Data Governance Suite
LAB 3: ADMINISTRATOR - CONFIGURATION
Learning Objectives:
Learn to understand and utilize the options found in the “Configuration” section in DataPrivilege.
Overview: The goal of this lab is to understand the available configuration options and to configure the basic
settings of DataPrivilege in the “Configuration” section:
• Mapping Settings
• Application Settings
• DataPrivilege Appearance
• Navigational Menus
• Mail Appearance
• Mail Configurations
Outcome: At the end of this lab you will have understood and configured the basic settings of DataPrivilege
“Configuration” menu.
UNDERSTAND AND CONFIGURE THE “MAIL CONFIGURATIONS” SECTION
1) First click on the configuration link to expand the menu, and then click on Mail Configurations
The Permission Requests and Group Membership Requests tabs allow you to configure the email behavior for
Data Privilege, including the options for individuals (requestee, authorizer, owner, admin and additional email
recipients) that should receive an email corresponding to different DataPrivilege actions (request made,
request handled, request summary). Data Privilege also allows you to select or customize the email sections
(subject, text at the top of message, text at bottom of message). In addition to the email options, one would
also have the ability to configure reminder emails, expiration times and expiration actions
Data Governance Suite
2) To view this customization in action, place a check in the Subject line in the Request made column, then click
the Edit button.
3) You will see a Subject Formatting window appear. This allows you to change the subject on the emails sent
by DataPrivilege for this request type. For example, if you wanted to include the request time in the subject,
you could simply add the word ‘at’ followed by ‘<RequestTime>’ tag in the subject line. Click Cancel to close
out of this window without saving any changes
Data Governance Suite
4) In order to edit the text at the top of the emails messages, click on the checkbox, and then on the Edit link, in
the Request Made column next to the “Top Boilerplate text”. A new window will appear, allowing you to edit
the free-text field. Enter the text “== THIS IS A MESSAGE SENT BY VARONIS DATAPRIVILEGE ==” in the
Custom Text box and click OK
Data Governance Suite
5) In order to edit the text at the bottom of the emails messages, click on the checkbox, and then on the Edit
link, in the Request Made column next to the “Bottom Boilerplate text”. A new window will appear, allowing
you to edit the free-text field. Enter the text “EDITED BY VARONIS DATAPRIVILEGE ADMIN” in the Custom
Text box and click OK
Data Governance Suite
6) As an alternate to editing the text at the top and bottom of the email message, DataPrivilege provides the
option to upload custom HTML for the body of the email. Place a check in the box next to the “Custom HTML
formatting” box in the Request Made column, you will notice the selections for the top and bottom boilerplate
text become unavailable for editing
7) Click on the Edit link next to “Custom HTML formatting”. A new window will appear that allows you to browse
and upload an HTML template for the body of the email. This template can contain DataPrivilege keyword
tags as well. Click cancel to exit this window
Data Governance Suite
8) Uncheck the “Custom HTML formatting” option, and reselect the “Top Boilerplate text” and “Bottom Boilerplate
text” options, then click the Preview link at the bottom of the screen
9) The preview option will display an overview of the information that will be contained in the email based on the
configuration options you have selected. It will also contain some of the variables and logic that will
determine which options of the email will appear. The lower half of the Preview window also contains data
relevant to the ability for owners or authorizers to approve requests via email. Click the X button in the upper
right hand of the Preview window to close the window.
Data Governance Suite
UNDERSTAND AND CONFIGURE THE “MAIL APPEARANCE” SECTION
The DataPrivilege Mail Appearance section controls the basic look and feel of the emails which DataPrivilege will
produce. This includes the color palette, font style, color and size
1) First, expand the Configuration menu if it is not already open, and then click on the “Mail Appearance” in the
menu. At the top of the Mail Appearance window, you will see an example of the layout and configurable
objects.
2) Scroll the window down until you see the configuration options. The mail appearance configuration menu
provides the ability to customize header images, text, font, and color options for the emails generated by
DataPrivilege.
3) In the Header section, to adjust the color settings, simply click the color swath next to any of the Background
Color options and drag the pointer to the desired color, or enter the HTML color code information in the box.
Data Governance Suite
4) Once you have adjusted the color, click on the color swath next to the Background Color item to confirm
Data Governance Suite
5) Under the Body section, you also have the ability to adjust the font, font size and color. In the Body section,
click on the color swath next to Regular Text and select a new color. Once complete, click the color swath
again to confirm the selection
6) Click the Preview button at the bottom of the section to view a preview of the output based on the proposed
changes
Data Governance Suite
7) The results for the aforementioned changes will appear as such:
8) You can click the X button on the upper right of the Preview window to close the box. You do not need to
save any of the settings. Click the Reset button to revert back to the default settings
Data Governance Suite
UNDERSTAND AND CONFIGURE THE “DATAPRIVILEGE APPEARANCE”
SECTION
The DataPrivilege Appearance section controls the basic look and feel of the interface. This includes the color palette,
font style, color and size
1) First, expand the Configuration menu if it is not already open, and then click on “Data Privilege Appearance”.
Within this section, you will see one built-in theme; Light which is the default for DP 6.4.
2) As an example, the Header section will be used to demonstrate some of the available changes. Click on the
link to Header
Data Governance Suite
3) Scroll down and click the “…” button next to the Font family item, and select Courier New from the font menu.
Once it is selected, click the Save link next to the selection
4) Next, click the white square next to the Font color line. A color palette selection will appear. You may click
within the selection window to select a color or enter the HTML color code in the box below. Once you have
selected a new font color, click the color swath to confirm, and then click the Save link
Data Governance Suite
5) Click the Refresh button on Firefox to update the DataPrivilege interface to reflect the changes you have
made. As you can see, both the font family and text color have been updated
6) You may revert back to the default state by selecting the Header option, and clicking the Revert link next to
both the Font family and Font color items.
Data Governance Suite
7) Click the Refresh button on Firefox to refelect the changes
8) Similar configuration options are available in the rest of the Appearance cateogires, however, they will not be
covered in detail in this lab
UNDERSTAND AND CONFIGURE THE “NAVIGATIONAL MENU” SECTION
The “Navigational Menu” provide the ability to configure the text for all of the navigational menu items, as well as the
item view for different user roles
1) Within the Navigational Menu section, you will see each section (Top Menu, Left Menu, and Management Tabs)
listed, along with editable text fields for each as well as check boxes to enable or disable visibility for each role
within DataPrivilege. Please note that some of the roles do not have the checkboxes available for certain
options, which means that the section is not applicable to that role. Scroll down and to the left to view these
settings and familiarize yourself with them.
Data Governance Suite
2) To customize the tabs along the top menu, you can uncheck the visibility boxes for some or all of the rows.
Uncheck the boxes in the “Select / Unselect” column next to the Help and Contacts rows
3) Scroll down and click the Save button at the very bottom of the screen to update the view.
Data Governance Suite
4) You will now notice that the Help and Contacts tabs no longer appears at the top of the screen
5) The text for each item is configurable as well. For example, the first item under the “Menu Options” section is
“Summary”. Click in the textboxes to modify the text. In the example below, we have simply capitalized all
letters in the word summary, so it will now appear as “SUMMARY”. Scroll down and click the Save button at
the very bottom of the screen to update the view
Data Governance Suite
UNDERSTAND AND CONFIGURE THE “APPLICATION SETTINGS” SECTION
The application settings section controls the application behavior and allows you to set default settings
1) First, expand the Configuration menu if it is not already open, and then click on the “Application Settings” in
the menu. Within this section, you will see all of the application categories which are available for
configuration.
2) Click on the General link to display a list of general configuration options. Click on the “i” next to “Allow
administrators to view and edit management screens”
Data Governance Suite
3) The view in the righthand window will change. Click the drop down to “False”, and then click on Save.
4) In order for this change to take effect, you must refresh the browser. Click on the Refresh icon at the top of
the Firefox window.
5) You will see a message asking if you would like to resend the information you previously submitted. Click the
Resend button
6) The DataPrivilege window will appear again, and you will see the Management category on the left of the
window has disappeared. *Please revert the change once completed*
Data Governance Suite
7) The Entitlement Review section contains all of the default options for the behavior of an entitlement review.
Some of the most commonly used options are:
• Hide the “Keep All”, “Remove All” and “Reset” buttons in entitlement reviews – this feature will force the
reviewer to make any changes on an individual line-item level
• Entitlement review signing options – this feature allows you to select the signing method for an
entitlement review, either forcing the reviewer to enter their domain password as a signature they have
performed the review, or allowing them to enter a defined text string (this option is set using the Text to
be used for signature field)
• Entitlement Review confirmation – this option allows you to enter custom text for the signature
verification, so you can include relevant company information (such as company policy sections) that
covers the signing of entitlement reviews
Data Governance Suite
8) The File System Permissions and Active Directory section contains the options for how to assign permissions
and how to interact with Active Directory. Some of the most commonly used items are:
• Allow owners to let users ask for direct permissions on folders – this option will allow you to disable (or
enable) the option to request direct permissions to a folder instead of being added to a security group.
Many best practices state that direct user permissions should not be used, and selecting this option will
prevent requesters from even having the ability to request it
• Group prefix for new groups in Active Directory – this setting controls the default security group prefix
when DataPrivilege is used to create new AD security groups for permissions. This can be used to comply
with company naming conventions for security groups
• Grant traverse permissions to folders up to the share level – this feature will automatically grant traverse
permissions up to the share level. This is useful if a user connects at the share, then they will have the
ability to drill down until they reach the folder where they were granted rights
Data Governance Suite
UNDERSTAND AND CONFIGURE THE “AD PROPERTIES” SECTION
1) Expand the Configuration menu if it is not already open, and then click on “AD Properties”. Within this
section, you have the ability to map existing, or add additional, Active Directory properties for use within
DataPrivilege. This is useful if the customer has custom AD properties they would like to include for display,
searching, sorting, in clauses or reporting within DataPrivilege. Click on the blue “i” icon next to the Ad
Property “cn” to bring up the details window that allows you to configure the options available for this AD
property.
2) The options available for mapping the AD Properties are:
• The ability to set the friendly display name for use within DataPrivilege
• If the element is visible
• Searchable
• Sortable
• Or can be used within clauses
3) Click Cancel to close this window
Data Governance Suite
LAB 4: ADMINISTRATOR - MANAGEMENT
Learning Objectives:
Understand the information available in the “Management” section of DataPrivilege.
Overview: The goal of this lab is to understand the available information in the “Management” section of DP:
• Folder Owner
• Group Owner
• Folder Authorizer
• Group Authorizer
Outcome: At the end of this lab you will understand the information available in the “Management” section.
UNDERSTAND THE “MANAGEMENT” SECTION
The Management section contains a list of managed directories and groups, similar to the view a data owner would
get. The difference is that if this view is enabled for Administrators, Administrators are able to see all of the managed
directories and groups associated with ALL data owners; For the Administrator, this information is read-only.
1) Expand the Management menu. Click on the “Folder Owner” link. You will be presented with an expandable
tree structure of the managed folders. To view data relevant to a particular folder, you can drill down in the
tree and place a check in the box next to the directory, as show in the picture below for the Finance folder. In
the right panel, it will show all of the security groups and users who are permissioned on the directory as well
as the level of permissions each has, as displayed in the picture below. In addition, you can select the
“Authorizers” tab to view any authorizers assigned to that folder. Similarly, you can select the “Auth Rules” or
“Automatic Rules” tabs to view any rules or workflows configured for the directory
Data Governance Suite
2) Click on the Group Owner link. You will be presented with a list of managed security groups, as well as a
search function to look for specific groups. If you place a check in the box next to a security group, you will
be able to explore relevant information for that security group, as shown in the image for the LAB-Finance-R
group below. In the panel to the right, if you select the “Members” tab, you will be able to view a list of all of
the members in the security group. In addition, you can select the “Authorizers” tab to view any authorizers
assigned to that security group, as pictured below. Similarly, you can select the “Auth Rules” or “Automatic
Rules” tabs to view any rules or workflows configured for the directory. Finally, on the “Permissions” tab, you
can view where this security group is being used and what the permissions it has on that folder
3) Click on the “Folder Authorizer” link. You will be presented with a list of the managed folders. If you click on
the folder name, you will see all of the security groups and users assigned to the folder, the type of entity
(Global Group, Local Group and Person), and the permissions assigned for that folder location.
Data Governance Suite
4) Click on the “Group Authorizer” link. You will be presented with a list of managed security groups, as well as a
search function to look for specific groups. If you click on a security group, you will be able to explore
relevant information for that security group. In the panel to the right, if you select the “Members” tab, you
will be able to view a list of all of the members in the security group. If you click on the “Permissions” tab,
you can view where this security group is being used and what the permissions it has on that folder
Data Governance Suite
LAB 5: DATA AND GROUP OWNER FUNCTIONALITY
Learning Objectives:
Learn how to configure Folder and Group ownership
Note: Authorization Rules, Automatic Rules and Report configuration will be covered more in depth in labs 9, 10 and 13
Overview: The goal of this lab is to give you a clear overview of the role and responsibilities of the Data Owners role in
DataPrivilege.
Outcome: At the end of this lab you will have configured and customized all the options you can have for a Data and
Group Owner.
UNDERSTAND THE MANAGEMENT TAB AND OPTIONS FOR DIRECTORY
OWNER
Data owners are managers who are responsible for managed directories. This includes the following activities:
• Adding managed directories
• Adding authorizers to managed directories
• Adding or removing available permissions to directories
• Granting permissions to managed directories
• Approving or denying user requests for data access. Such requests actually entail adding users to the relevant
groups
• Synchronizing the actual database with the managed DataPrivilege environment
1) While still logged in as Administrator, click on the Administration option on the left to expand the view, and then
click on Base folders. Drill down in the tree until you reach the Marketing folder. Place a check in the box next
to Marketing, then click the Add button on the bottom right under the Data Owners section
Data Governance Suite
2) A User Search box will appear. Click the “…” icon to bring up a search window
3) In the Search box, type in Erin and click the Search button. When Erin appears below, place a check next to her
name and click the OK button
4) Erin will appear in the top section, click the Add button to move Erin to the lower section. Check the box to add
the selected users as authorizers and then Click OK to complete the process
Data Governance Suite
5) You will now see Erin listed as a directory owner for the Marketing folder
6) Close Firefox, and then re-launch it
7) In Firefox, enter the credentials for Erin in the Windows Security box. The username will be “emanning” and
the password will be “P@ssword1!”. Click OK
8) Click on “Management” then “Folder Owner”. You will see that you are now the Data Owner of some folders.
Expand the directory tree to the right, drill down until you locate the “Finance” folder and place a check in the
box next to it. In the “Permissions” section, as a data owner, you have the ability to Edit the managed
directories and change the available permissions. Click on Edit button
Data Governance Suite
9) You will now see the “Edit Folders” window. In the “New Permissions” section to the right, scroll down in the
list, place a check next to “Write Only”, and in the box next to it, enter LAB-FINANCE-W as the new permission
name. NOTE: If you copy and paste the group name into the lab, please be sure to delete any
trailing spaces to avoid errors. Click Next
10) Click Finish to close out of the Edit Folders window
Data Governance Suite
11) You will now be back at the Folder Owner window. As a folder owner, you have the ability to delegate
authorization rights to another individual to approve requests on your behalf. De-select the Finance folder and
then expand and select the HR folder. Click the Add button at the bottom of the Authorizers tab.
12) In the Authorizer Details window, click the “…” icon next to Select Users to bring up the search window
Data Governance Suite
13) In the search box, enter Allen, and then click the Search button. When Allen Carrey appears below, place a
check next to his name then click OK
14) Click the Add button to move Allen down to the bottom section, then click OK to complete the action
Data Governance Suite
15) Allen has now been added as an Authorizer for the HR folder and now has the ability to receive and approve
permission requests
Data Governance Suite
UNDERSTAND THE MANAGEMENT TAB AND OPTIONS FOR GROUP OWNERS
Group owners are managers who are responsible for managed groups. This includes the following activities:
• Adding managed groups.
• Adding users to groups.
• Removing users from groups.
• Adding automatic rules to groups.
• Adding authorization rules to groups.
• Adding authorizers to managed groups.
• Performing entitlement reviews.
• Approving or denying requests for group membership
• Synchronizing managed groups with Active Directory.
1) The Group Owners functionality is similar to the Directory Owners functionality. Click on the Group Owner link
to display the groups which Erin owns. Place a check in the box next to LAB-Finance-R-R, then click on the
Authorizers tab to the right.
Data Governance Suite
2) You can see that Erin is configured as an Authorizer for this security group. You have the ability to add or
remove authorizers from this security group, similar to the way you can configure them for managed folders.
In addition to managing the authorizers for a security group, the owner may add members to the group
directly through the Members section. Click the Members tab, and click the Add Member button below
3) In the membership request section, the owner has the ability to search and select users to add to the group,
as well as configure an automatic expiration which will automatically revoke the membership based on the
criteria selected. Click Cancel to close this window
This completes the Directory and Group Owner sections.
Data Governance Suite
LAB 6: AUTHORIZER FUNCTIONALITY
Learning Objectives:
Learn the role of Data and Group authorizers.
Overview: The goal of this lab is to give you a clear overview of the role and responsibilities of the Authorizers role in
Data Privilege.
Outcome: At the end of this lab you will have a clear overview of the Authorizer role.
UNDERSTAND THE MANAGEMENT TAB AND OPTIONS FOR DIRECTORY
AUTHORIZER
Authorizers are responsible for approving or declining requests assigned to them by the various types of owners. In
addition, authorizers who possess certain owner privileges can perform the following tasks:
• Grant users permissions to managed directories
• Add users to groups
• Sign entitlement reviews
When data authorizers approve or decline requests, only those groups to which a user can be assigned are displayed.
With DataPrivilege, multiple levels of authorization can be defined to ensure data and group membership is protected.
An authorizer can be assigned to any authorization level, even if the preceding levels have not been defined.
1) Firefox was open from the previous section, please close IE and reopen it. In Firefox, enter the credentials for
“Allen” in the Windows Security box. The username will be “acarrey” and the password will be “P@ssword1!”.
Click OK
Data Governance Suite
1) Click on the Management option on the left to expand the options, and then click on the Folder Authorizer link.
Click on the HR folder name in the Managed Directories section to display the permissions available on the
folder. If you notice, as an authorizer, you do not have the ability to change any of the permission on the
managed folders.
2) This completes the Directory Authorizer section of the lab
Data Governance Suite
UNDERSTANDING THE MANAGEMENT TAB AND OPTIONS FOR GROUP
AUTHORIZER
Group Authorizers are responsible for approving or declining requests assigned to them by the various types of owners.
In addition, authorizers who possess certain owner privileges can perform the following tasks:
• Grant users permissions to managed directories
• Add users to groups
• Sign entitlement reviews
With DataPrivilege, multiple levels of authorization can be defined to ensure data and group membership is protected.
An authorizer can be assigned to any authorization level, even if the preceding levels have not been defined.
1) Firefox was open from the previous section, please close it and reopen it. In Firefox, enter the credentials for
Michael in the Windows Security box. The username will be “mlewis” and the password will be “P@ssword1!”.
Click OK
2) While still logged into DataPrivilege as Michael, click on the Group Authorizer option, then click on the LAB-
Marketing-R-R display name. As an authorizer, on the Permissions tab you will have the ability to view where
your security group grants access and what level of permissions it grants to a folder, but you will have no ability
to make changes. Similarly, on the Members tab, you have the ability to see any member of a security group for
which you are designated as an Authorizer; however, you will not be able to make any changes
Data Governance Suite
LAB 7: END USER FUNCTIONALITY
Learning Objectives: Learn how to do a permission and membership request.
Overview: The goal of this lab is to create one permission request to access a folder, and another to create membership
a request to a security group or distribution list. As of DataPrivilege 6.3, users can now create permission requests
directly from the file system. This functionality will not be covered in this lab guide. It is also possible to grant folder
permissions to a group nested within another group, if the parent group has direct permissions on the folder.
Outcome: At the end of this lab you will be able to do submit requests for your current user or for someone else.
PERMISSION REQUEST
1) Close Firefox if it is still open from the previous lab, and then re-open it.
2) In Firefox, enter the credentials for Allen in the Windows Security box. The username will be “acarrey” and
the password will be “P@ssword1!”. Click OK
3) Click on Permission Requests on the left bar. You will see a Permissions Request form. Since you are requesting
access for yourself, you do not need to make any changes in the User section. In the Folders section, click on the
“Browse…” button to select the folder to which you wish to request access
Data Governance Suite
4) Expand the directory tree until you find the Finance Folder. Click on the Finance folder to select it, and then click
OK
5) You will see the Finance folder path in the Folders section. Click the Add button to move the directory down to
the Operations section
Data Governance Suite
6) In a permissions request, the Operations Section allows the requestor to specify the type of operation (in this
case, it is a Grant Access request), and the level of permissions the user would like on the target folder. Click the
down arrow below permissions to display the list of available permissions on the Finance folder. Select Write
7) In the Explanation section, the requestor will need to specify the reason they are requesting access. This is to
provide justification to the Authorizer so he knows to accept, modify or deny the request in a later stage. Type
the text, “Need access for reporting” into the text field
8) Clicking on the “Advanced” button allows you to specify the length of your request. You are able to request
permissions for a specific time frame (for example for financial reporting during one week at the end of a fiscal
month or fiscal quarter), so Data Privilege will be able to commit the access rights during that time period and
then revoke it automatically. Click on Advanced and make sure the Expiration is set to Never, then click on the
Finish button to complete the request
Data Governance Suite
9) The following page will be displayed, showing a summary of your request and including the authorizer who is
responsible for authoring the request.
10) The permission request has been sent to the authorizers. Close Firefox and continue on to the next section
PERMISSION APPROVAL PROCESS
1) Open Thunderbird from the desktop and expand Erin’s email.
Note: You may need to click on the “Get Mail” tab in Thunderbird to check for new message. You may need
to repeat this process after a few minutes if the email does not arrive immediately
Data Governance Suite
2) In Erin’s inbox, you will see that DataPrivilege has sent a notification email telling you that a permission request
is pending your approval. You can be taken directly to the approval page by clicking the link in the email next to
the text, “To view the request page: click here” Click on the link in the email
3) In Firefox, enter the credentials for Erin in the Windows Security box. The username will be “emanning” and
the password will be “P@ssword1!”. Click OK
Data Governance Suite
4) On the Approval window, review the request and click “approve”.
5) Type “OK” into the authorization explanation window and click “approve”.
6) This is the end of the permission request section. Close Firefox
MEMBERSHIP REQUEST
1) You will now do the same process to complete a Group Membership Request. Close and re-open Firefox and
enter the credentials for Allen in the Windows Security box. The username will be ‘acarrey” and the password
will be “P@ssword1!”. Click OK
Data Governance Suite
2) Click on Membership Requests link, along the left, and then click on the Browse button under the Groups
section
3) In the Group Search window, click on the LAB-Marketing-RW-RW group to select it, and then click OK
Data Governance Suite
4) Click the Add button in the Groups section to move the LAB-Marketing-RW-RW group down to the Operations
area to confirm your selection, and then enter the text “Access” into the Explanation text field. Finally, click
Finish to complete the request
5) You will now see a widow indicating that your request has been sent. Close Firefox and move on to the next
section
Data Governance Suite
MEMBERSHIP APPROVAL
1) Open Thunderbird from the desktop and expand Michael’s email ([email protected])
Note: You may need to click on the “Get Mail” tab in Thunderbird to check for new message. You may need
to repeat this process after a few minutes if the email does not arrive immediately
2) To automatically get directed to the request, click on the link in the “To view the reqest page: click here”
section of the email
Data Governance Suite
3) In Firefox, enter the credentials for Michael in the Windows Security box. The username will be ‘mlewis” and
the password will be “P@ssword1!”. Click OK
4) On the Approval window, review the request and click “approve”.
5) Type “OK” into the authorization explanation window and click “approve”.
6) This completes the membership request approval portion. Close Firefox
Data Governance Suite
LAB 8: UNDERSTANDING THE SUMMARY SCREEN
Learning Objectives:
Learn the information and functionality available via the Summary Screen
Overview: The summary screen provides an easy, quick reference point for both users and data owners to quickly
review and take action on requests or entitlement reviews
Outcome: At the end of this lab you will understand the functionality available in the Summary Screen for Data
Owners
UNDERSTANDING THE SUMMARY SCREEN
Note: The information in the following screens is informational only, and the view in
your screens may not be identical to what is presented here. This is only true for this
section, Lab 8: Understanding the Summary Screen
1) Close and re-open Firefox, and enter the credentials for Erin in the Windows Security box. The username will
be “emanning” and the password will be “P@ssword1!”. Click OK
2) Click on the Summary tab
Data Governance Suite
3) For a data owner, the Summary section is broken down into three major sections:
a. My Requests
b. Requests waiting for my approval
c. Waiting for my review.
For non-directory owners, they will only see the ‘My Requests’ and ‘Requests waiting for my approval’. The
My Requests section will display any recently submitted permissions or group membership requests. As a
requester, you will see the status of your request, the type of request and the resource target. The requester
may also view the details or cancel a request if it has not yet been approved.
4) The Requests waiting for my approval section is where a directory owner or authorizer would go to view and
open permissions or membership requests for resources assigned to them. They will be able to quickly see all
of the relevant information at a glance, such as the date and time the request was made, the requester, the
type of request and the target resource for the request. The owner or authorizer would also be able to access
the request details in this screen to approve or deny a pending request. *Note: The screenshots in step 4
and 5 will vary from what you see in the portal as we have already approved the request from
Allen Carrey in a previous lab.”
Data Governance Suite
5) Click on the Waiting for my review link. This section is where a data owner would go to review any open
entitlement reviews on their managed shares or groups. The data owner can quickly see the outstanding
reviews, the date and time which they arrived and the resource which requires the entitlement review. The
data owner can also access the details and perform the necessary entitlement reviews
6) This concludes the Understanding of the Summary Screen section.
Data Governance Suite
LAB 9: BUILDING AN AUTHORIZATION WORKFLOW FOR
PERMISSIONS/GROUP MEMBERSHIP AUTHORIZATION
Learning Objectives:
Learn how to build and configure a custom authorization workflow process
Overview: The goal of this lab is to build a custom workflow for authorizing permissions or group membership
requests using Varonis DataPrivilege. In the lab you will create a multi-level authorization process for access approval
based on clauses built from attributes pulled from Active Directory
Outcome: At the end of this lab you will have configured, customized and saved a multi-level authorization workflow
process for permissions or group membership requests
BUILD AN AUTHORIZATION WORKFLOW PROCESS FOR PERMISSIONS
1) Continuing from the last section, click on the Management link in the left column to expand the options.
Under Management, click on the Folder Owner link
Data Governance Suite
2) Click on the + sign next to vrnslab.se to expand the share tree. Expand the HR location and click on the HR
folder. In the far right, click on the Auth Rules tab then click the Add button
3) An Authorizer Rule Details window will appear. Click the Edit button under the Clauses section
Data Governance Suite
4) A Rule Clauses window will appear. In the first line, click the down arrow next to the first dropdown box and
select Department. In the second dropdown box, click the down arrow and select Not Equals from the menu.
Finally, type ‘HR’ in the third box. This will create a rule that will check the Department field within Active
Directory. Click OK to save and exit the Rule Clauses window
5) The clause that was just created will now appear under the clause section of the Authorizer Rule Details
window. In the Rule name box, enter in ‘HR Workflow’. Click the Add button under the Authorizers section to
add request authorizers for this workflow
Data Governance Suite
6) A User Details window will appear, click the “…” icon under Select Users to view the user search feature
7) In the Users Search window, type in ‘eric’ into the search box and click the Search button. Eric Adler will
appear in the search results, click on his name to select him and then click the OK button
Data Governance Suite
8) Eric will now appear in the Selected Users box. Click the Add button below the Selected Users box to add Eric.
Eric will now appear in the middle section of the Authorizer Details window since he has been added as an
authorizer. Since Eric is the first authorizer added, he will automatically be given authorizer level 1. Click the
OK button
9) You will now be back at the Authorizer Rule Details window with Eric added as a level 1 Authorizer. Click the
Add button under Authorizers to add another authorizer
Data Governance Suite
10) A User Details window will appear, click the “…” icon under Select Users to view the user search feature
11) In the Users Search window, type ‘erin’ into the search box and click the Search button. Erin manning will
appear in the search results, click on her name to select her and then click the OK button
Data Governance Suite
12) Erin will now appear in the Selected Users box. Click the Add button below the Selected Users box to add
Erin. Erin will now appear in the middle section of the Authorizer Details window since she has been added as
an authorizer. To add Erin as a second-level authorizer for the workflow, check the box next to Erin Manning’s
name, then click the down arrow to expand the Authorizer Level menu and select 2 from the list
13) You will now see Eric Adler as a level 1 authorizer and Erin Manning as a level 2 authorizer. What this means
is that when someone requests access to the HR folder who does not have the HR department code in Active
Directory, it will require both Eric and Erin to sign off on the request before it is approved. Click the OK
button at the bottom right to save and close the Authorizer Rule Details window
Data Governance Suite
14) The new Authorization workflow rule will now appear under the Auth Rules tab for the HR folder.
15) Close and re-open Firefox and enter the credentials for Allen in the Windows Security box. The username will be
“acarrey” and the password will be “P@ssword1!”. Click OK
Data Governance Suite
16) Click on the Permission Requests link on in the left panel. In the Folders section of the permission request
form, click on the Browse button
17) The folder selection window will appear. Click on the + sign next to vrnslab.se to expand the share tree.
Expand the HR location and click on the HR folder to select it, and then click on OK
Data Governance Suite
18) You will see the HR folder path in the Folders section. Click the Add button to move the directory down to the
Operations section. In the Operations section, you will see the directory to which you are requesting access
as well as an option to select a different permission level to the folder as well, if available. You may leave this
section as default. In the Explanation section, you must enter in the reason for the access request, in the
box, type in “I want access” and then click the Finish button to submit the request
Data Governance Suite
19) Once the request has been submitted, you will see a confirmation window. Click on the link at the end of the
phrase, “To view authorizers list click here” – This will display a window of the authorizers required to approve
the request
20) As you can see, for this request, since it matched the criteria configured earlier, in order for the request to be
fully processed, it will need to be reviewed and approved by both Eric and Erin. Click the Close button to close
the window.
21) Click on the Summary link in the left column in DataPrivilege and expand the My Requests option to view
Allen’s pending request. To see details about the request for the HR share, click the blue “i” icon next to the
request
Data Governance Suite
22) Open Thunderbird from the desktop and expand Michael’s email ([email protected])
Note: You may need to click on the “Get Mail” tab in Thunderbird to check for new message. You may need
to repeat this process after a few minutes if the email does not arrive immediately
Data Governance Suite
23) A new DataPrivilege request will appear in the mailbox for Eric stating that Allen Carrey has requested access
to the HR folder along with the reason for the request. To automatically launch Firefox to review the request,
click on the link at the end of the phrase, “To view the request page: click here”
Data Governance Suite
24) In Firefox, enter the credentials for Eric in the Windows Security box. The username will be “eadler” and the
password will be “P@ssword1!”. Click OK
25) DataPrivilege will automatically load the approval page for Allen Carrey’s request. Under the Authorization
section, click “approve” then enter in the text “OK” in the request approval box and click “approve” to
complete the request approval. Once this is complete, close Firefox by clicking the X button in the upper right
of the window and return to Thunderbird.
Data Governance Suite
26) Once the 1st level approval is completed by Eric, a DataPrivilege email will appear in the mailbox for Erin. You
may need to click “Get Mail” in order for the email to come through. The email will explain that the request
has been handled by a designated authorizer, Eric Adler, and include his approval reason. To automatically
launch Firefox to review the request, click on the link at the end of the phrase, “To view the request page click
here”.
Please note: This request email will not appear in Erin’s mailbox until after the request has been approved by
the 1st level approver, Eric Adler, because of the authorization workflow process configured
Data Governance Suite
27) In Firefox, enter the credentials for Erin in the Windows Security box. The username will be “emanning” and
the password will be “P@ssword1!”. Click OK
28) DataPrivilege will automatically load the approval page for Allen Carrey’s request. Under the Expiration Date
section, select the radio button next to the last option and enter 1 into the box. This will cause the permission
to be approved but it will be automatically revoked after 1 day. Click the “approve” button then enter “OK”
into the authorization explanation window. Click “approve” to complete the request.
Data Governance Suite
29) Close and re-open Firefox. Enter the credentials for Allen in the Windows Security box. The username will be
“acarrey” and the password will be “P@ssword1!”. Click OK
30) In the left column of Data Privilege, click on the Summary link. In the middle section, underneath ‘My
Requests’, you will now see that the request has been Approved.
31) This concludes the Authorization Rule section. Close Firefox
Data Governance Suite
LAB 10: BUILDING AN ETHICAL WALL
Learning Objectives:
Learn how to configure and customize an ethical wall, which is an automatic rule designed to prevent a user or group
from getting access to data to which they should never have access
Overview: The goal of this lab is to build a custom ethical wall for denying permissions or group membership
requests using Varonis DataPrivilege based on clauses built off data fields pulled from Active Directory
Outcome: At the end of this lab you will have configured, customized and saved an ethical wall for preventing
unauthorized access to a resource
BUILDING AN ETHICAL WALL
1) Open Firefox, enter the credentials for Erin in the Windows Security box. The username will be “emanning”
and the password will be “P@ssword1!”. Click OK
2) Click on the Management link in the left column to expand the options. Click on the Folder Owner link. Click
on the + sign next to vrnslab.se to expand the directory tree. Expand the Marketing location and then click
on the Marketing folder to select it. You will then be presented with information about this folder to the far
right. Click on the tab to the far right called ‘Automatic Rules’ and then click on the Add button below.
Data Governance Suite
3) An Automatic Rule Details window will appear. In the Rule name box, enter the title “No HR in Marketing”
then click the Edit button below the Clauses field.
4) A Rule Clauses box will appear. In the first clause box, click the down arrow and select Department, in the
dropdown box immediately to the right, click the down arrow and select Equals, and finally in the last box type
in “HR” (no quotes). This will match the Department field extracted from the Active Directory properties
against the text string entered in the box, and if it equals HR, the clause will be flagged as true. Click the OK
button
Data Governance Suite
5) You will now see the clause that was just created present in the clauses section. In the Request Operation
Type box, select the radio button for Revoke All.
a. This will tell DataPrivilege that if the clause above is matched, either through a request made via the
DataPrivilege interface or if someone with the department code of HR is added manually outside of
DataPrivilege, the permission will not be allowed.
Place a check in the box next to Enforce Rule to enable to rule. Click OK to save and close the Automatic Rule
Details window and return to the owner portal
6) Once back at the owner portal, the new automatic rule will appear under the Automatic Rules tab.
Data Governance Suite
7) Close and re-open Firefox. Enter the credentials for Eric in the Windows Security box. The username will be
“eadler” and the password will be “P@ssword1!”. Click OK
8) Click on the Permission Request link in the left column of the DataPrivilege window. Under section 2, Folders,
click on the Browse button
9) The folder selection window will appear. Click on the + sign next to vrnslab.se to expand the share tree.
Expand the Marketing location and click on the Marketing folder to select it, and then click on OK
Data Governance Suite
10) You will see the Marketing folder path in the Folders section. Click the Add button to move the directory down
to the Operations section. In the Operations section, you will see the directory to which you are requesting
access as well as an option to select a different permission level to the folder as well, if available. You may
leave this section as default. In the Explanation section, you must enter in the reason for the access request,
in the box, type in “I want access” and then click the Finish button to submit the request
Data Governance Suite
11) A permission request summary will appear with the relevant details around the request,
12) Click on Summary, and you will see that the request has been declined instantly. This is because Eric is in the
HR department according to Active Directory and the automatic rule will deny any permission requests for the
Marketing folder which originate from a user with a department of HR.
13) This completes the Ethical Wall section. Close Firefox
Data Governance Suite
LAB 11: BUILDING AN ENTITLEMENT REVIEW
Learning Objectives:
Learn how to configure and customize an entitlement review so business owners managing data resources will receive
automatic, actionable information on who has access to their resources; the data owners will also have the ability to
review the permissions, keep or remove user access and digitally sign the review once complete
Overview: The goal of this lab is to create an entitlement review and then walk through the steps of performing one
based on the criteria configured
Outcome: At the end of this lab you will have configured, customized and saved an entitlement review and walked
through the business user portion of completing an entitlement review
BUILD AN ENTITLEMENT REVIEW
1) Open Firefox. When prompted for a User ID and password, enter “itadmin” and “P@ssword1!”. Click OK
2) In the left hand column, click on the Administration link. The Administration group will expand and
underneath there will be several options. Click on the Entitlement Review link. The entitlement review
configuration will appear in the right-hand panel. The scheduling tabs will provide options for how often the
entitlement review should be run. In this example, you may leave the default scheduling as we will run the
report manually once it is configured.
Data Governance Suite
3) Click on the configuration tab. By default, all managed groups and folders will receive entitlement reviews
and recommendations. Exceptions to this can be added to change the default behavior, if required. To add
exceptions, click on the Add Group button.
4) The Add Managed Groups window will appear and it will display a list of groups which DataPrivilege has
detected. Click on LAB-Marketing-RW-RW to select it and then click OK.
Data Governance Suite
5) The Add Managed Groups window will close and you will be back at the Entitlement Review configuration
screen. You should see the LAB-Marketing-RW-RW group appear in the list. To add a managed folder for
entitlement review, click the Add Folder button
6) A new window will open and you will be presented with a folder browser. To expand the tree, click the + sign
next to vrnslab.se. Expand the Finance location and click on the Finance folder to select it, and then click OK
Data Governance Suite
7) The share browser window will now close and you will be back at the Entitlement Review page. Both the
group and the folder will now appear in the list. For the LAB-Marketing-RW-RW group, place a check in the
“Enable Recommendations,” “Require Review” and “Enable Requests from Other Owners” boxes. For the
Finance share, place a check in the box for “Require Review”
8) Use the scroll bar to the right to scroll down to the bottom of the Entitlement Review page and save the
changes.
Data Governance Suite
9) Scroll back to the top of the page and click on the Folder Scheduling tab. Click on the blue ‘i’ button next to
Default Folders Rule.
10) A new window will open, click on the Scheduling tab. At the bottom of the Entitlement Review scheduling
section, click on the “Run Now” button.
Data Governance Suite
11) You will see a new window open with a message letting you know how many entities will be affected. Click OK
to continue and close Firefox
12) Open Thunderbird from the desktop and expand Erin’s email ([email protected])
Data Governance Suite
13) The email notification for an entitlement review will appear in the inbox of Erin Manning. In the body of the
email, click on the link at the end of the phrase, “To view the request page, click here.”
14) Clicking the link in the body of the email will automatically launch Firefox. Enter the credentials for Erin in the
Windows Security box. The username will be “emanning” and the password will be “P@ssword1!”. Click OK
Data Governance Suite
15) DataPrivilege will automatically start at the Summary screen and the ‘Waiting for my review’ section will be
expanded. Since Erin is the owner of several groups and folder, there may be multiple entitlement review
selections. Look in the ‘Req. Group/Folder’ column to locate the review for the finance folder. Click the blue
“i” icon next to this review
16) An Entitlement Review details window will pop up displaying the users who have permissions to the shares
which you are reviewing. You will also be provided with the options to keep or remove the user’s access. To
see additional information, you may click the drop down box on the right of the Entitlement Review window
and select “Detailed users’ effective permissions”.
Data Governance Suite
17) By selecting this option, it will show you the user’s effective permissions, meaning from what security groups
are the users a member of, in order to gain access to the share.
18) From the “View” dropdown, if you select the File-system permissions option, you will be able to see the
security groups that are applied to the share
19) In the “View” dropdown box, select “Users’ effective permissions.” This will again display the user within the
security group. You will have the option to either keep the user or remove him from the security group as
part of the Entitlement Review. If you select the Remove option, you will be prompted to enter a reason.
Data Governance Suite
20) Click on the Keep radio button to leave Allen Carrey permissioned on the Finance share. Click “confirm”.
21) Enter “Still Valid” as the reason to keep Allen Carrey and finally type “P@ssword1!” into the box under the
heading, “I confirm that I have reviewed the objects listed above, along with their content.” Click the Sign
button
22) This concludes the Entitlement review portion of the DataPrivilege lab, close Firefox.
Data Governance Suite
LAB 12: USING THE DATAPRIVILEGE SEARCH CAPABILITIES
Learning Objectives:
Learn about the various search options available within DataPrivilege
Overview: The goal of this lab is to familiarize the users with what search options and features are available
Outcome: At the end of this lab you will understand how to use the DataPrivilege search features
USING THE DATAPRIVILEGE SEARCH CAPABILITIES
1) Open Firefox. When prompted for a User ID and password, enter “itadmin” and “P@ssword1!”. Click OK
2) Click on the Search category in the left column to expand the menu. Within DataPrivilege, there are two
different search features. Click on Simple Search in the sub-menu. The standard search option provides a
simple dropdown menu to select the operation type on which you would like to report, and a radio button that
allows you to select the time range on which to report, being weekly, monthly, or All
Data Governance Suite
3) Click on the ‘Monthly’ radio button, and then click the ‘Search’ button. By running a search for all request
types for the last month, you will see all Pending, Approved, Declined, Signed and Expired permission
requests, membership requests and entitlement reviews. It now possible to search for entitlement reviews
according to a specific folder name, group name or rule name.
4) Click the “Advanced Search” link. The Advanced Search feature provides more fine-grained control over the
search results. This will allow you to filter by the requestor or requestee, the request type, request operation
type, or by a specific request status. Furthermore, you can filter the search by a specific request ID if it is
known. The advanced search also provides the option to limit an exact start and end date for the search as
well. Select “Pending” and click search. This will provide a view into all of the requests that are in a pending
state.
5) This concludes the Search section. Leave Firefox open for the next lab.
Data Governance Suite
LAB 13: CONFIGURING COMMON DATAPRIVILEGE REPORTS
Learning Objectives:
Learn how to configure and customize the most common and useful reports in DataPrivilege
Overview: The goal of this lab is to create and customize the most common and useful reports with DataPrivilege
Outcome: At the end of this lab you will have configured, customized and saved two common reports within
DataPrivilege
CONFIGURE AND CUSTOMIZE COMMON VARONIS DATAPRIVILEGE
REPORTS
1) Click on the Reports link. The list of available reports will display to the right.
Data Governance Suite
1) To schedule reports to view requests and authorizations, click on the ‘Requests and Authorizations’ link. You
will be presented with several options which will allow you to configure the criteria for the reports, schedule
the reports to get generated on a current location, and run the reports ad-hoc. From the first dropdown
menu, select ‘Request Status’, leave ‘Equals’ in the second dropdown window and finally select ‘Pending’ as
the Request Status. When complete, click the ‘Run’ button to generate the report.
• Please note, if you would like to configure the report to display additional request types, you can click
the ‘Add’ button below the current filters to add another filter to the search criteria.
2) You will need to authenticate before producing the report. Use “emanning” and “P@ssword1!” to
authenticate.
3) The report will appear in the bottom portion of the window (Note, this may a minute)
Data Governance Suite
4) In order for administrators or audit and compliance officers to verify that data owners have completed their
entitlement reviews, the Entitlement Review By Status report can be configured and run ad-hoc or on a
scheduled basis. Click on the ‘Entitlement Review By Status’ link in the reports column. In order for the
report to be most effective for review on a recurring basis, the report can be scheduled using relative dating.
However, if run ad-hoc, a specific date range could be set. Click the Add button.
5) In the first dropdown box, select Request Date, then for the date mode, select ‘Relative last’ and finally, enter
30 into the days box to configure the report to display the results from the last 30 days
6) Click on the Group tab to group the results. Click the Add button to add a grouping option. Click the down
arrow and select Status as the grouping option
Data Governance Suite
7) Click on the Sort tab to add a filter to sort the output of the report. Click the Add button to add a new sorting
option. From the first dropdown box, select ‘Creation Date’ and then click the Run button at the bottom right
to generate the report
8) The report will output all of the entitlement reviews over the last 30 days, grouped by status and sorted from
oldest to newest. (Note, this may take a minute)
9) This completes the DataPrivilege lab.
Data Governance Suite
You might also like
- 1-DatAdvantage Basic Installation Lab Guide 8.6No ratings yet1-DatAdvantage Basic Installation Lab Guide 8.6146 pages
- 2-DatAdvantage Operational Use Training Lab Guide 7.5100% (1)2-DatAdvantage Operational Use Training Lab Guide 7.5117 pages
- Best Practices For Securing Active DirectoryNo ratings yetBest Practices For Securing Active Directory299 pages
- Implementing Storage Spaces and Data DeduplicationNo ratings yetImplementing Storage Spaces and Data Deduplication45 pages
- MIM CTP Test Lab Guide For Privileged Access ManagementNo ratings yetMIM CTP Test Lab Guide For Privileged Access Management37 pages
- Introduction, Development and Analysis of "Banana" Curve in Project Management100% (1)Introduction, Development and Analysis of "Banana" Curve in Project Management16 pages
- 5-Varonis Edge Configuration Training Lab 8.5No ratings yet5-Varonis Edge Configuration Training Lab 8.548 pages
- CIS Microsoft 365 Foundations Benchmark v1.1.0No ratings yetCIS Microsoft 365 Foundations Benchmark v1.1.0161 pages
- Introduction To Microsoft Enterprise Mobility + Security: Antonio MaioNo ratings yetIntroduction To Microsoft Enterprise Mobility + Security: Antonio Maio26 pages
- ODBP Voting System Security Requirements 080423No ratings yetODBP Voting System Security Requirements 08042311 pages
- Varonis DatAdvantage Device Configuration GuideNo ratings yetVaronis DatAdvantage Device Configuration Guide5 pages
- Vsphere Esxi Vcenter Server 702 Host Management GuideNo ratings yetVsphere Esxi Vcenter Server 702 Host Management Guide215 pages
- Microsoft - Examcollectionpremium.70 416.v2015!10!15.by - Rabz.90qNo ratings yetMicrosoft - Examcollectionpremium.70 416.v2015!10!15.by - Rabz.90q85 pages
- Module 3 - Implementing Dynamic Access ControlNo ratings yetModule 3 - Implementing Dynamic Access Control58 pages
- Anti-Virus Comparative: Performance TestNo ratings yetAnti-Virus Comparative: Performance Test12 pages
- 8 1 IdentityIQ Certification Access Review GuideNo ratings yet8 1 IdentityIQ Certification Access Review Guide102 pages
- Vsphere Esxi Vcenter Server 652 Host Management Guide PDFNo ratings yetVsphere Esxi Vcenter Server 652 Host Management Guide PDF190 pages
- CIS Microsoft Office Enterprise Benchmark v1.0.0 PDFNo ratings yetCIS Microsoft Office Enterprise Benchmark v1.0.0 PDF543 pages
- Crowdstrike University Training CatalogNo ratings yetCrowdstrike University Training Catalog23 pages
- CIS VMWare ESXi 7.0 Benchmark V1.4.0 PDFNo ratings yetCIS VMWare ESXi 7.0 Benchmark V1.4.0 PDF252 pages
- TechNet-Best Practice Active Directory Design For Managing Windows NetworksNo ratings yetTechNet-Best Practice Active Directory Design For Managing Windows Networks52 pages
- Vsphere Esxi Vcenter Server 651 Platform Services Controller Administration GuideNo ratings yetVsphere Esxi Vcenter Server 651 Platform Services Controller Administration Guide182 pages
- (Win2k16) Certificate Autoenrollment in Windows Server 2016No ratings yet(Win2k16) Certificate Autoenrollment in Windows Server 201645 pages
- Device Protection With Microsoft Endpoint Manager and Microsoft Defender For Endpoint - Module 06 - Endpoint Protection Alerts and ReportingNo ratings yetDevice Protection With Microsoft Endpoint Manager and Microsoft Defender For Endpoint - Module 06 - Endpoint Protection Alerts and Reporting22 pages
- TR-4476-0716 Dedupe Compression CompactionNo ratings yetTR-4476-0716 Dedupe Compression Compaction63 pages
- Notes Migrator 45 User Guide For Office 365No ratings yetNotes Migrator 45 User Guide For Office 365107 pages
- Best Practice Guide For Securing Active Directory Installations and Day-To-Day Operations - Part IINo ratings yetBest Practice Guide For Securing Active Directory Installations and Day-To-Day Operations - Part II126 pages
- Passing Unix Linux Audit With Power Broker100% (2)Passing Unix Linux Audit With Power Broker11 pages
- Device Protection With Microsoft Endpoint Manager and Microsoft Defender For Endpoint - Module 03 - Endpoint Protection OverviewNo ratings yetDevice Protection With Microsoft Endpoint Manager and Microsoft Defender For Endpoint - Module 03 - Endpoint Protection Overview28 pages
- Vrealize Lifecycle Manager 8.6 Installation Upgrade and ManagementNo ratings yetVrealize Lifecycle Manager 8.6 Installation Upgrade and Management226 pages
- Cisco Nexus7000 Security Config Guide 8xNo ratings yetCisco Nexus7000 Security Config Guide 8x792 pages
- Microsoft Security Solution Orientation GuideNo ratings yetMicrosoft Security Solution Orientation Guide5 pages
- Active Directory Rights Management Services A Clear and Concise ReferenceFrom EverandActive Directory Rights Management Services A Clear and Concise ReferenceNo ratings yet
- Enterprise Mobile Device Management Complete Self-Assessment GuideFrom EverandEnterprise Mobile Device Management Complete Self-Assessment GuideNo ratings yet
- B Series DVR User's Installation and Operation Manual (R5.0)No ratings yetB Series DVR User's Installation and Operation Manual (R5.0)72 pages
- Bitraser Cloud User Guide: Legal Notices About Stellar Contact UsNo ratings yetBitraser Cloud User Guide: Legal Notices About Stellar Contact Us81 pages
- cheat sheet-dragon-professional-v16-en-uk (1)No ratings yetcheat sheet-dragon-professional-v16-en-uk (1)2 pages
- Manual - Written by Phillip Porter Grand Rapids Police DepartmentNo ratings yetManual - Written by Phillip Porter Grand Rapids Police Department19 pages
- Engineering Equation Solver: For Microsoft Windows Operating SystemsNo ratings yetEngineering Equation Solver: For Microsoft Windows Operating Systems334 pages
- KeyCreator Getting Started Guide V6 English PDFNo ratings yetKeyCreator Getting Started Guide V6 English PDF150 pages
- Problem W - Simple Beam With Trapezoidal LoadsNo ratings yetProblem W - Simple Beam With Trapezoidal Loads4 pages
- Lesson 1 - Parts - Overview: L L L L L L L LNo ratings yetLesson 1 - Parts - Overview: L L L L L L L L17 pages
- CAESAR II PIPING Tutorial A Pages 120 To 157 From C2AP100% (1)CAESAR II PIPING Tutorial A Pages 120 To 157 From C2AP38 pages
- Install Active Directory Domain Service. (1) Run (Start) - (Server Manager)No ratings yetInstall Active Directory Domain Service. (1) Run (Start) - (Server Manager)60 pages
- Hotel Management Visual Basic BCA Summer Training Project Report PDF DownloadNo ratings yetHotel Management Visual Basic BCA Summer Training Project Report PDF Download121 pages
- GL200 Manager Tool User Guide V203 Decrypted.100130848No ratings yetGL200 Manager Tool User Guide V203 Decrypted.10013084842 pages
- I/A Series Workstation Configuration: April 1, 1992No ratings yetI/A Series Workstation Configuration: April 1, 199228 pages
- sm784 Cs-8100-Family User-Guide Ed07 English enNo ratings yetsm784 Cs-8100-Family User-Guide Ed07 English en48 pages
- P N M T: PNMT (Java Version) Operation ManualNo ratings yetP N M T: PNMT (Java Version) Operation Manual76 pages
- Resetting Your Printer To Factory Default Settings - Toner BuzzNo ratings yetResetting Your Printer To Factory Default Settings - Toner Buzz12 pages
