How to: Configure Access Rules

Summary

The purpose of this article is to explain the concept of Access Rules and how they can be used to grant users the ability to view file service usage analyses in the NSS console and/or to use the software's application programming interface (API).

Access Rules determine which of the paths scanned in the Data Scan a user or group should be able to see information about in the NSS console. In the Access Rule, it is possible to grant users access to all paths scanned by the Data Scan (by entering *) or restrict them to viewing scanned data for one or several paths.

By using this capability it is possible to give users information relevant to their organisational role - role-adapted reporting. A common practice is to give Administrators the ability to see information gathered across all paths, managers the ability to see information related to their respective department(s), and users the ability to see the data in the specific shares they contribute to.

Access Rules can either be created manually or automatically through a synchronization job that creates an Access Rule for each user according to their permissions in the file system ('file system permission mirroring').

Intended results

Enable users to access role-adapted information about how they and their colleagues are using the file service.

Step-by-step

Access Rules can be configured through manual input or through a synchronization job that creates Access Rules based on file system permissions. This section will cover both methods of configuring Access Rules, starting with the manual input.

How to create Access Rules through manual input

  1. Access the NSS console Administration page and hover over the Access Rules option in the top menu. Select 'Users/Groups' in the drop-down menu.

  2. This enables the ability to either create new Access Rules or modify existing ones. Click on the 'Create Rule'-button to start configuring your Access Rule.

    Create Rule
  3. An options box will appear that allows you to configure an Access Rule for a specific user or group. Enter the desired configuration.

    Create New Manual Rule

    Clarification of the different Access Rule options:

    User/Group
    This is where you specify the user or group that the Access Rule should apply to. The feature will search for the user or group in AD and show whether it could be found or not.

     

    Application Role

    This drop-down menu allows you to assign a specific Application Role to the user/group in question. The Application Role determines which features of the NSS software will be available to the user/group. It also determines which View Profile is used; controlling which dashboards and widgets are shown.

     

    See KB-3143 for more information on how to create and manage Application Roles.

     

    See KB-3158 for more information on how to create and manage View Profiles.

    Send Welcome Email
    This checkbox setting dictates whether a welcome e-mail should be sent to the affected user or not when the new Access Rule is saved.

    The welcome e-mail is a fully customizable HTML-formatted mail that by default consists of a brief explanation of what the user is being asked to do (monitor and manage their file system use), the paths that have been assigned to the user along with a link to the NSS console.

    Path Role

    Path Roles can be used to grant different levels of responsibility for the management of (the data within) the paths that are included in the Access Rule. Users with the 'Data Steward' Path Role are able to create new Access Rules for these paths, for example; delegating data management responsibility to additional users.

     

    Path                                 

    Specifies the paths scanned by the Data Scan that should be visible to the user/group in question. Clicking on the 'Add Path' button adds the path to the path list.

     

    The 'Include Subs' checkbox simplifies the creation of a rule that includes a large number of paths. Specifying a CIFS server where several paths are included in the Data Scan and checking the 'Include Subs' checkbox will create a rule that includes all paths scanned on that CIFS server, for example.

     

    It is possible to grant users the ability to see information about all scanned paths by adding a star ( * ) as the path. This is recommended for administrators and managers at the top of the organizational hierarchy.

    Path List
    The paths that have been added to the Access Rule are displayed in the path list. Changes to the path(s) can be made here if desired. 

    Below is an example of a new Access Rule that has been created for the user DQ\robert.dahlquist where a restricted Application Role (Test Role) has been assigned along with the ability to view information about three different user home shares.

    Access Rule Example

  4. Click on the 'Save'-button at the bottom of the dialog box to save the Access Rule configuration.

  5. It is possible to verify the configuration/change by logging on to the NSS console using the credentials of the account that the Access Rule was configured for. If changes to the rule are required, go back to the Access Rule page in the Administration section and modify the rule by selecting it and clicking on the 'Edit rule' button.

How to create Access Rules through an automated synchronization job

  1. Access the NSS console Administration page and hover over the Access Rules option in the top menu. Select 'Policies' in the drop-down menu.

  2. This enables the ability to create Access Rules that mimic permissions in the file system. Click on the 'Create' button to start configuring the Access Rule synchronization job.

  3. An options box will appear that allows you to configure Access Rules for specific users and/or groups based on the file system permissions. Enter the desired configuration.

    Access Rule Synchronization

    Clarification of the different Access Rule Policy options:

    Policy Name
    Specify the name of your new Access Rule Policy here.

    File System Permissions Required to Qualify
    This is where the permissions to mirror are specified. It is possible to select either 'Modify' or 'Read'. Selecting 'Modify' will result in Access Rules being created that allow users to see file service use information about paths where they have modify permissions. Selecting 'Read' will allow viewing of information gathered from paths where users have the read priviledge.

     

    Include Users/Groups   
    Specify the users or groups that the policy should be applied to. It is possible to apply the policy to all users and groups by selecting 'All Users/Groups' in the drop-down menu. It's also possible to include/exclude specific users or groups.

    Selecting 'For All Except' and then specifying users/groups will lead to the creation of Access Rules for all users except the users/groups specified.

    If you don't want the policy to apply for all users you can assign it for a specific set of users/groups by choosing 'Only Selected Users' and specifying the target users/groups.

    Application Role   

    Specify the Application Role that should be applied for the users affected by this policy.

     

    See KB-3143 for information on how to create and manage Application Roles.

     

    Path Setting                    

    The Path Setting feature makes it possible to decide the paths that should be affected by this policy.

     

    It is possible to apply the Access Rule Policy to All Paths, only for paths that are included in a specific Path Category or only for paths that share a specific Path Label value.


    See KB-3118 for information about Path Categories and KB-3116 for information about Path Labels.


    The Path Role for the users affected by this policy can also be set here. See KB-3143 for more information on how to create and manage Path Roles.

    Synchronization Schedule                       
    The synchronization schedule controls when and how often file system permissions should be re-synchronized. The 'Run Now' checkbox makes it possible to run the job upon saving it.


    Below is an example of a new Access Rule Policy that has been created for all paths categorized as 'User Shares'. Access Rules will be created for all users except DQ\bildat31.

    The Access Rule Policy in the example is based on the 'Modify' permission, which means that users will only see data for the paths where they have the modify file system permission. The affected users will have the Data Contributor Path Role, which means they will not be able to delegate access to information about 'their' paths to other users.

    The synchronization job has been scheduled to start on a Friday evening and run once per week to synchronize with any changes in file system permissions. The job will be exectued upon saving the configuration.

    Access Rule Synchronization Example

  4. Click on the 'Save'-button at the bottom of the dialog box to save the Access Rule Policy configuration.

  5. Go to the Users/Groups-section under the Access Rules menu option to verify that the rules have been created by the policy. If the Access Rules have been created, expand a few of them to verify that the expected path(s) are included.

    Once the Access Rules have been correctly created, verify that file service usage information is being displayed as expected by logging on to the NSS console  using a relevant account - or ask a colleague to log on and review.

Confirm results

Log on to the NSS console using an account that has an Access Rule defined to verify that content is displayed as expected. Adjust the Access Rules if necessary and perform the same operation again for final verification.

For advanced troubleshooting, please contact the Technical Support team at Northern (support@northern.net).

ADDITIONAL RESOURCES

  • KB3143 How to: Create & Manage Security Roles
  • KB3119 How to: Configure Data Scans
  • KB3118 How to: Create Path Categories
  • KB3158 How to: Configure View Profiles
  • KB Article: 3120

    Updated: 3/27/2017

    • Category
      • Usage
    • Affected versions
      • NSS 9.7
      • NSS 9.8

    North America HQ

    NORTHERN Parklife, Inc.
    301Edgewater Place, Suite 100
    Wakefield, MA 01880
    USA

    Voice: 781.968.5424
    Fax: 781.968.5301

    salesUS@northern.net

     

    Additional Contact Information

    EMEA & APAC HQ

    NORTHERN Parklife AB
    St. Göransgatan 66
    112 33 Stockholm
    Sweden

    Voice: +46 8 457 50 00

    salesHQ@northern.net

    Northern Parklife



    ©2017 northern parklife

    privacy statement 
    terms of use