cancel
Showing results for 
Search instead for 
Did you mean: 

Data Insight user permission with no inheritance

Marco1975
Level 1

Hello.

I'm facing an issue with the Windows Share servers administrator, and would like to know if someone can suggest a solution.
In our windows share architecture, the shared folders does not inherit permission from the parent folders, so permissions are assigned tu user and user groups directly on the folders.

This lead to a hard-to-manage mess due to the huge amount of files and folders, so its very difficult for me to have the administrator add the Data Insight user to each of the folder through the whole file system (more than one share server and hundreds of folders).

Is there a way to give permissions to an AD user in such a way that it has the needed privilege to access all folders and files for Data Insight to work?
Adding the user to domain admins does not fit, because the domain admins are not allowed to access the folders too, the permissions have been assigned only to specific users/groups for each folder.

Thanks

1 REPLY 1

Pix_R
Level 5

Marco, It seems your storage admins have designed a behemoth headache for administration. They have introduced a massive headache for regulatory compliance, object classification and data governance.

You will not be able to use DI (Data Insight) to assist in your remediation as you will likely not have a record of the current permissions and the captured I/O audit information will only include the active user. DI remediation will not help as you cannot traverse the tree. If you do not have a single administrative user or allow the SYSTEM user to cascade down the file system even the local administrator will have difficulty in monitoring the data stored on these shares.

As to proper ACL additions to the storage you have a few choices, painful choices though. My suggestions would be to force the Admins to ensure the local administrators group has access everywhere, all the time, just as a best practice and add your DI scan user to the group. Using Set-acl via PowerShell or Icacls via DOS is likely to fail you if the permissions are so restrictive as to avoid the simplest of administration. If the Administrator is capable they can add your user to every object on the file system and you can leave the share open  to Everyone or Authenticated Users.

Other choices would be: to switch the scan user to SYSTEM on the machine by removing the need for credentials in the DI device configuration but that assumes they have left that user with the right, creating a backup user group /power users group with Bypass traverse checking enabled and adding the named credential form DI into that group. They do back up data don't they?

If you have an overly paranoid SysAdmin and they do not wish to grant the DI credential full rights then explain the need to traverse the file system, read the object's metadata and if classifying download the files from the server itself. They likely might be able to add the user in a restricted capacity if they understood the need for data governance in your organization's Data life cycle and regulatory adherence plans.

Good Luck
Pix